I came across this when I was trying to generate salts and keys:
This feature is deprecated ! We highly recommend generating your own keys and salts instead of relying on a remote service to do this for you.
Although, I can generate one using the command on the salt page, but is this compulsory in the sense of generating it via my server. I am writing a tutorial, so, was looking for quick methods.
I would greatly appreciate any reply.
According to William:
Disadvantages of remote generation is that the algorithm to generate is well known and also could be compromised in transit between generating it and you receiving it.
Which was the reason for this line “instead of relying on a remote service”, so, I think that answered my question.
I guess you’re talking about https://api-v1.classicpress.net/secret-key/1.0/salt/ here…
Yes, this is correct.
WP still makes this functionality available over plain HTTP which is kind of unbelievable to me!
Also, the default ClassicPress setup process should do this step for you.
Yes, generating a config file with the salts in place happens as part of the normal installation process.
Thanks, I wasn’t aware of that.
The WordPress secret-key service is now https://api.wordpress.org/secret-key/1.1/salt/ so transmitting over plain http should, in theory, not be an issue…except that you can still access it using http. It doesn’t auto-redirect to https. Bizarre.
But it’s still best to leave CP to do the magic as by default, this is all done on your server. No internet involved.