I have come across the following code in a new clients existing website in wp-config.php
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
I searched online and found a post that suggests if the keys and salts are duplicated in the config then WordPress will generate new salts and keep them within the database. This appears to be true as there are records within wp_options table with the salt names and values.
Primary question: Is ‘WordPress keeping salts within the database’ a security risk?
Care to explain: Is there a reason why they are primarily in the config file and should I replace the config file values with the database ones and remove the database values?
From the WordPress Codex:
The secret key is located in two places: the database in case the
secret key isn’t defined in the second place, which is in the
wp-config.php file. If you are going to set the secret key, then you
must do so in the wp-config.php file.
The secret key in the database is randomly generated and will be
appended to the secret key that is in wp-config.php file in some
instances. It is important to have the secret key defined or changed
in wp-config.php.
If you have installed WordPress 2.5 or later, then you will have the
SECRET_KEY defined in the wp-config.php already. You will want to
change the value in it because hackers will know what it is. If you
have upgraded to WordPress 2.5 or later version from a version before
WordPress 2.5, then you should add the constant to your wp-config.php
file.
Salting passwords helps against tools which has stored hashed values
of common dictionary strings. The added values makes it harder to
crack if given salt string is not weak.
You should set the salts inside the wp-config.php as keeping the salts solely in the database is a security risk. It is more likely that someone nefarious would be able to grab the entire salt if it is stored solely in the database, whereas if you store the salt in the wp-config.php and supplement it with the salt within the database, it will be much harder to grab the entire salt. You can randomly generate these salts with the online generator. Once they occur in the wp-config.php file, the database salts will no longer be valid by themselves and will no longer present a security risk.
