[closed] HOWTO: Set up secret keys in WordPress 2.6+ (3 posts)

  1. WordPress 2.6 includes a new set of security features for passwords and password hashing and cookie security. This feature works without doing anything, but it's not particularly powerful without some extra steps.

    If you want to greatly increase the security of your site, you should set up secret keys.

    Setting up your secret keys is easy. All you have to do is to add these lines to the wp-config.php file, right after the other define statements:

    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');

    You'll find these lines in the wp-config-sample.php file as well.

    These unique phrases should be something long and random. Anything 60+ characters and relatively random will do, it doesn't matter what it is. However, they should each be different. In other words, you need four phrases, not one.

    WordPress has created a generator for these lines to assist people in creating good ones. Go to this site, and copy and paste the result into your wp-config file:

    Note that doing this will invalidate all your login cookies, so everybody on your site will have to re-login, but doing it will greatly increase the cookie strength of WordPress 2.6. This means that your login cookies, if intercepted, won't be able to be reproduced as easily. It also means that somebody who gains read-only access to your database through some other means won't be able to login to your site.

    More information on this topic can be found here:

    Also note, never actually give your secret keys to anybody. Their secrecy is what adds the extra layer of security.

  2. Jeremy Clark
    Posted 8 years ago #

    This is the Codex page dealing with the setting up the secret key.
    Editing wp-config.php

  3. Note: WordPress 2.7 adds the NONCE_KEY parameter. This new key protects the nonces from being generated, protecting you from certain forms of attacks where a hacker attempts to guess the nonce. This is an unlikely vector for attack, at best, but still it's good to use.

    Adding a new nonce key to an existing install will not invalidate your login, nor show you any real differences in any way. It just makes things slightly more secure. The generator URL given above has been modified to create a random nonce key as well.

Topic Closed

This topic has been closed to new replies.

About this Topic