Are you familiar with the WordPress Security Keys? I found out recently that there are still many WordPress users out there who are not familiar with it and are not making use of this feature to make their blogs more secure. Today, I’ll be talking about it and sharing what WordPress Security Keys are about and how you can use them.

When WordPress 2.6 was released, three security keys – AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY were added for the purpose of better encryption of the information stored in a user’s cookies. A fourth security key – NONCE_KEY was added to the group during the release of WordPress 2.7. Four new security keys were added in with the release of WordPress 3.0 – AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT bringing it to a total of 8 security keys. (Thanks to sylv3rblade for pointing that out)

For those who are not familiar with the WordPress Security Keys and what they’re for, here’s the definition provided by WordPress:

A secret key is a hashing salt which makes your site harder to hack and access harder to crack by adding random elements to the password.

In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, unpredictable password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.

In other words, WordPress Security Keys add another layer of protection to your blog making it stronger and less susceptible to hacking and malicious attacks. Now that you understand what the WordPress Security Keys are and what they’re for, then you should start implementing them on your WordPress-powered blog or website.

The WordPress Security Keys can be configured via the wp-config or wp-config-sample file. Just open up the file with any text editor and look for these lines:

[php]
/**#@+
* Authentication Unique Keys.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
/**#@-*/
[/php]

To enable the WordPress Security Key, just replace ‘put your unique phrase here‘ with your own security key, save the wp-config.php file and upload it. [Make sure you save a backup of your wp-config.php file before editing it and configuring the Security Key]

Examples of WordPress Security Keys:

[php]
define(‘AUTH_KEY’, ‘:dr+%/5V4sAUG-gg%aS*v;&xGhd%{YKC^Z7KKGh j>k[.Nf$y7iGKdJ3c*[Kr5Bg');
define('SECURE_AUTH_KEY', 'TufWOuA _.t>#+hA?^|3RfGTm>@*+S=8\"\'+\"}]<m#+}V)p:Qi?jXLq,<h\\`39m_(‘);
define(‘LOGGED_IN_KEY’, ‘S~AACm4h1;T^\"qW3_8Zv!Ji=y|)~5i63JI |Al[(<YS<2V^$T])=8Xh2a:b:}U_E’);
define(‘NONCE_KEY’, ‘k1+EOc-&w?hG8j84>6L9v\"6C89NH?ui{*3\\(t09mumL/fFP_!K$JCEkLuy ={x{0′);
[/php]

Although you can create your own security key, I strongly suggest that you use the online generator provided by WordPress to create a strong security key like the one above. Take note that you don’t have to remember or memorize the keys and you can change your blog’s security key at any point in time to invalidate all existing cookies. You can do this if you think someone has taken hold of your password or you think that someone made an unauthorized login on your blog. Resetting the security key will require all users to login again.

I hope this article helped you better understand WordPress Security Keys and convince you to make use of this built-in feature to strengthen your blog’s security. Better safe than sorry!

[Source: WordPress Codex]

A week after releasing it in WordPress.com and a day after releasing Release Candidate 2, the dev team finally released WordPress 2.7 “Coltrane” to the general public. This version of WordPress is named after American jazz saxophonist and composer, John Coltrane.

I know this is a little bit late and I know that some of you aren’t that excited about WordPress 2.7 because you’ve already tried and used the beta and release candidate versions. However, there are still some who haven’t tried it yet or haven’t even seen what it looks like. For those who are new to WordPress 2.7, here’s a special video created by the dev team as a visual introduction to the latest version of WordPress.

Personally, I think this is the best WordPress release to date. Why? Because it covers almost all the features and options that I’ve been looking for in WordPress in a long time. From the main dashboard which you can customize and rearrange drag-and-drop style, the ability to reply to comments right from the dashboard, installing plugins directly from WordPress.org’s Plugin Repository, creating sticky posts, the comment moderation keyboard shortcuts and last but not least, the built-in upgrade feature. Not only does this new version of WordPress look and feel better than previous versions, some of the features I mentioned saves time and make regular tasks more convenient for users.

Unfortunately, with almost every new version of WordPress (especially ones with a lot of changes) comes issues with themes and plugins and WordPress 2.7 is not an exception. Before you upgrade your WordPress installation, you have to check that your themes, plugins and hosting provider work or don’t have any conflicts/issues with WordPress 2.7. One of the reasons why I wasn’t able to do the upgrade right away was because I wanted to be sure that everything would be okay after I do the upgrade. First thing I did was to back up my WordPress database, then check my theme files, check the plugins for conflicts/issues, deactivated all plugins and when I was confident that everything was ready, I proceeded with the upgrade. The upgrade process was fast and smooth. Thankfully, there were no hiccups or problems whatsoever.

So far I haven’t heard or read of anyone complaining or reporting problems after upgrading to WordPress 2.7, except for my blogger friend ia who noticed that after doing the upgrade, the WordPress version displayed on her blog’s meta tag was “abc” while on her dashboard it shows “WordPress 2.7″. Weird! She also pointed out a support topic on WordPress.org’s forum where someone posted a fix but for an earlier version, not 2.7. I’m not sure if it works or not because when I checked her blog it still shows “abc”, but in case you encounter this problem you can try it out. If you do know how to fix it or figure out a solution, kindly share it with us.

Btw, it’s only been a day since WordPress 2.7 was released but the dev team are already busy fixing bugs for 2.7.1 and thinking of features for 2.8.

Any of you guys who haven’t upgraded to WordPress 2.7 yet? What’s keeping you from upgrading? For those of you who have, what are your first impressions of Coltrane? Do you like the new user interface and the new features? Why or why not? Please share your thoughts.

Download WordPress 2.7 “Coltrane”

There comes a time in every WordPress release when it’s ready for the world , to come out of its cocoon and feel the light of the world on its wings for the first time.

It’s not quite that time yet, but we’re as close as we’ve ever been, hence the immediate availability of 2.7 Release Candidate 2, or RC2 for short.

Instead of the final version, the development team released WordPress 2.7 RC (Release Candidate) 2 which is pretty much the same as what we’ll see and get in the final version unless they find new bugs that needs to be fixed or make additional tweaks to the system.

If you’re already using or testing WordPress 2.7, you can do the upgrade automatically using the built-in core update via Tools > Upgrade. If not, you can do it the old fashioned way. As always, make sure that you download WordPress 2.7 RC 2 from only reliable sources or from the official WordPress.org site.

Download WordPress 2.7 RC 2
(if you’re not sure, just hover your mouse over the link to see the source)

Anyways, better late than never right? Hope you enjoy this week’s edition of the Weekend Roundup.

Blogging

• Want to increase your RSS feed subscribers? Maybe this can help. Darren Hoyt shares this tip on how to effectively advertise an RSS feed.
• Unless you’re new to blogging, you’d have come across the name of Jason Calacanis at one time or the other. Six months ago, he announced his retirement from blogging, but it turns out he’s been actively posting on his blog. I guess Jason just can’t stay away from blogging. via DailyBlogTips
• Excited about WordPress 2.7? Here’s a video by Mark Jaquith showing off the comment moderation keyboard shortcuts for WordPress 2.7. I think this is gonna be my most favorite feature on WordPress.
• Do you own own a domain or several domains? If you do, then most likely you’re familiar with “whois” information. Do you think you need to protect your whois information? via Blogging Tips

Gadgets

• A Malaysian blogger got his hands on a HTC Max 4G, the first WiMAX phone in the world. Here’s his review on the HTC Max 46 aka HTC Quartz aka HTC T8290.
• Google recently announced the release of the Android Dev Phone 1 which is a SIM-unlocked and hardware-unlocked version of the T-Mobile G1. All you need to do to get this phone is to sign up as an Android developer and purchase the device for $399. via eWeek
• Wonder what gadgets did most people bought from eBay this year? Here’s the list of the Top 10 eBayed Gadgets of the Year. via Gizmodo
• Australia-based company Kogan has recently released the Kogan Agora and Agora Pro, the world’s second Android-based phones. Phones retail for about $192 and $256 respectively.

Technology

• BitDefender has recently identified a new type of trojan, the Trojan.PWS.ChromeInject.A. This trojan masquerades itself as the popular Firefox addon – Greasemonkey. To all Firefox/Greasemonkey users, make sure you only download from the official website. via ArsTechnica
• Microsoft will soon release a new line of products and its not gonna be hardware or software but rather “softwear”. In an effort to reinvent its image, Microsoft will be selling retro-style graphic t-shirts called “Softwear by Microsoft”. via Seattle Tech Report
• Controversial Firefox addon called the “Pirates of the Amazon” is now shutdown. This addon lets users illegally download movies, games, TV shows, and MP3s for free by cross referencing Amazon.com’s product pages with torrent files from the Pirate Bay. As a regular Amazon customer, I’m glad to hear this development. via CNet News
• Windows Vista users, if you haven’t seen it on your recent Windows Update you might wanna know that Microsoft released Service Pack 2 for Windows Vista last week. I’m still thinking whether I should update or not. Last time I installed SP 1 on my previous laptop, things got messed up.

Pinoy Blogs

• Having a hard time choosing a gift for a loved one or friend? Check out the first part of the Techy Kid’s Christmas gift ideas series.
• A t-shirt that plays songs? Yes, you read that right. The Personal Soundtrack Shirt has a speaker embedded in front that lets you play songs from your mp3 player or SD card. It also comes with a remote control for music selection. Isn’t that cool?
• Looking for a new phone this Christmas? Here’s a one that you might like, the Samsung Pixon M8800 reviewed by Jayvee Fernandez.
• If you have a Facebook account, be careful when you open/read messages containing links. The KoobFace virus is still at large and has been spreading around Facebook, infecting a lot of accounts. The most common subject line is “You look so funny on our new video”. I’ve also seen this in Friendster and have been receiving messages like these from people who are on my friends list.

JaypeeOnline Weekly Recap

• Christmas Giveaway – Just a reminder for those of you who haven’t joined yet or for those who aren’t aware of this contest. I’m giving away $1,000+ worth of premium WordPress themes and plugins. Trust me, you don’t wanna miss it!
• Songbird 1.0 Released – Open source media player slash browser Songbird slash iTunes alternative.
• Nokia N97 – Nokias latest flagship phone. Me likey!

If you have any questions, comments, suggestions or want your article to be featured in the next Weekend Roundup, feel free to leave a comment or send me a message via the contact page.

Thank you for your time and hope you guys have a great week!

Here’s an excerpt from the WordPress blog to give you an idea on how the vulnerabilities can be used to attack blogs with open user registration.

With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.

If you implement open user registration on your blog, then you definitely have to update to WordPress 2.6.2 immediately. Although this is not a very serious security risk, if you don’t update your WordPress installation there’s a possibility that someone would use this vulnerability and be able to guess the generated password, gain access to your blog and mess it up. You wouldn’t want that to happen don’t you?

By the way for those of our friends who are new to WordPress and aren’t sure whether their blogs have open user registration or not, here’s how you can check: In your WordPress dashboard, go to Settings and under the General tab look for Membership options. If the “Anyone can register” option has a check on it then it means your blog is using open user registration. To disable it, just uncheck it and click on the Save Changes button below.

If you don’t have open user registration on your blog and don’t mind spending time doing an upgrade, then go ahead. Nothing wrong with keeping your WordPress installation up-to-date. Personally, I’d rather wait for WordPress 2.7 which is schedule to be released in November unless of course there’s a security release like WordPress 2.2.3, then I’d most certainly do an upgrade.