Am I right in thinking that the "salt" parameter should be something an attacker cannot easily guess?
Yes, you are right.
I think as follows:
'XOOPS_PREFIX' should be 'salt'.(See Mozilla Thunderbird user's directory prefix)
if 'XOOPS_PREFIX' is set up at random, We can write code:
$salt=XOOPS_ROOT_PATH.XOOPS_PREFIX;
A user who doesn't set up 'XOOPS_PREFIX' at random will be helped by this script. this script changes 'XOOPS_PREFIX'. but, there is risk, because there is no English document.
If a programmer reads a code, he will know all of the script. I hope that he introduces script in English.
Translation of document isn't important. I learned many 'programming technique' from the American book written in English.(we can buy American books in Amazon Japan.) but I can't read English.
We may not be able to talk and exchange a document, because many japanese aren't good at English. but, we can exchange 'proguram code'. 'program code' is an excellent international language for us. that is better than Esperanto.