WordPress 2.6 includes a new set of security features for passwords and password hashing and cookie security. This feature works without doing anything, but it's not particularly powerful without some extra steps.
If you want to greatly increase the security of your site, you should set up secret keys.
Setting up your secret keys is easy. All you have to do is to add these lines to the wp-config.php file, right after the other define statements:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');You'll find these lines in the wp-config-sample.php file as well.
These unique phrases should be something long and random. Anything 60+ characters and relatively random will do, it doesn't matter what it is. However, they should each be different. In other words, you need four phrases, not one.
WordPress has created a generator for these lines to assist people in creating good ones. Go to this site, and copy and paste the result into your wp-config file:
http://api.wordpress.org/secret-key/1.1/
Note that doing this will invalidate all your login cookies, so everybody on your site will have to re-login, but doing it will greatly increase the cookie strength of WordPress 2.6. This means that your login cookies, if intercepted, won't be able to be reproduced as easily. It also means that somebody who gains read-only access to your database through some other means won't be able to login to your site.
More information on this topic can be found here:
http://boren.nu/archives/2008/07/14/ssl-and-cookies-in-wordpress-26/
Also note, never actually give your secret keys to anybody. Their secrecy is what adds the extra layer of security.
