So for the salts, I started simple, with the underlying assumption that each deployment could be pre-salted by the source bundle, and reduce operational overhead.
But upon reading a bit further saw that rotating the salts regularly is a good opportunity to invalidate sessions, and ensure that logins are having to regularly happen — so figured I could try re-salting every time configuration changes, or deployments, are made via Elasticbeanstalk (e.g. such as through the console).
So we’ll want to generate the salts and build the dictionary so that we can then return those when the time comes to incorporate those into the Elasticbeanstalk configuration. By leveraging the wordpress API we can then:
import urllib.request import re def get_wordpress_salts(): with urllib.request.urlopen('https://api.wordpress.org/secret-key/1.1/salt/') as s: salts_from_api = s.read().decode('utf-8') salts = {'AUTH_KEY': re.search("'AUTH_KEY', .*'(.*)'", salts_from_api).group(1), 'SECURE_AUTH_KEY': re.search("'SECURE_AUTH_KEY', .*'(.*)'", salts_from_api).group(1), 'LOGGED_IN_KEY': re.search("'LOGGED_IN_KEY', .*'(.*)'", salts_from_api).group(1), 'NONCE_KEY': re.search("'NONCE_KEY', .*'(.*)'", salts_from_api).group(1), 'AUTH_SALT': re.search("'AUTH_SALT', .*'(.*)'", salts_from_api).group(1), 'SECURE_AUTH_SALT': re.search("'SECURE_AUTH_SALT', .*'(.*)'", salts_from_api).group(1), 'LOGGED_IN_SALT': re.search("'LOGGED_IN_SALT', .*'(.*)'", salts_from_api).group(1), 'NONCE_SALT': re.search("'NONCE_SALT', .*'(.*)'", salts_from_api).group(1)} return salts
References
WordPress Salts
Python 3 urllib.request Examples
https://docs.python.org/3.8/library/urllib.request.html#examples