Are you familiar with the WordPress Security Keys? I found out recently that there are still many WordPress users out there who are not familiar with it and are not making use of this feature to make their blogs more secure. Today, I’ll be talking about it and sharing what WordPress Security Keys are about and how you can use them.
When WordPress 2.6 was released, three security keys – AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY were added for the purpose of better encryption of the information stored in a user’s cookies. A fourth security key – NONCE_KEY was added to the group during the release of WordPress 2.7. Four new security keys were added in with the release of WordPress 3.0 – AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT bringing it to a total of 8 security keys. (Thanks to sylv3rblade for pointing that out)
For those who are not familiar with the WordPress Security Keys and what they’re for, here’s the definition provided by WordPress:
A secret key is a hashing salt which makes your site harder to hack and access harder to crack by adding random elements to the password.
In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, unpredictable password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.
In other words, WordPress Security Keys add another layer of protection to your blog making it stronger and less susceptible to hacking and malicious attacks. Now that you understand what the WordPress Security Keys are and what they’re for, then you should start implementing them on your WordPress-powered blog or website.
The WordPress Security Keys can be configured via the wp-config or wp-config-sample file. Just open up the file with any text editor and look for these lines:
/**#@+
* Authentication Unique Keys.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
/**#@-*/
To enable the WordPress Security Key, just replace ‘put your unique phrase here‘ with your own security key, save the wp-config.php file and upload it. [Make sure you save a backup of your wp-config.php file before editing it and configuring the Security Key]
Examples of WordPress Security Keys:
define('AUTH_KEY', ':dr+%/5V4sAUG-gg%aS*v;&xGhd%{YKC^Z7KKGh j>k[.Nf$y7iGKdJ3c*[Kr5Bg');
define('SECURE_AUTH_KEY', 'TufWOuA _.t>#+hA?^|3RfGTm>@*+S=8"'+"}]<m#+}V)p:Qi?jXLq,<h\`39m_(');
define('LOGGED_IN_KEY', 'S~AACm4h1;T^"qW3_8Zv!Ji=y|)~5i63JI |Al[(<YS<2V^$T])=8Xh2a:b:}U_E');
define('NONCE_KEY', 'k1+EOc-&w?hG8j84>6L9v"6C89NH?ui{*3\(t09mumL/fFP_!K$JCEkLuy ={x{0');
Although you can create your own security key, I strongly suggest that you use the online generator provided by WordPress to create a strong security key like the one above. Take note that you don’t have to remember or memorize the keys and you can change your blog’s security key at any point in time to invalidate all existing cookies. You can do this if you think someone has taken hold of your password or you think that someone made an unauthorized login on your blog. Resetting the security key will require all users to login again.
I hope this article helped you better understand WordPress Security Keys and convince you to make use of this built-in feature to strengthen your blog’s security. Better safe than sorry!
[Source: WordPress Codex]
@sylv3rblade – Thanks for pointing that one out. This is was an old draft that I wrote prior to the release of WP 3.0. Forgot to check and update the post. :D
WP 3.0 adds additional keys for security bringing the total to 8:
AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT
@Aaron – Thanks! That’s true and many of these users aren’t aware of it yet, that’s why I decided to share about it. :)
Good tips Jaypee, especially for those using older versions of WP. All of the newer versions force you (as far as I know) to generate keys and automatically put them into your config file for you.