Quick Security Upgrade: Set or change your WordPress secret keys

wooden table with old lock in center, surrounded by old skeleton style keys
CMS and WordPress / Security

Of all the ways to harden your WordPress site, there’s a very simple and often overlooked technique to employ. It’s been around since version 2.6, and when My Brother Darryl is contacted to fix someone’s hacked site, we find it is rarely used. Below is how WordPress’ secret keys work and the three steps it takes to complete today’s security upgrade.

How WordPress Secret Keys Work

When you log into WordPress a cookie is created in your browser. A cookie is a delicious tidbit of data that lets a server keep track of important tasks like who’s logged in and who’s not. These delicious tidbits can contain personal and private information including the site’s URL, your username and time of login. A malicious user may attempt to crack your cookies and then run software against your site and username of various common password combinations; if they get one right, they will have gained access to your site allowing them to exploit it with malware, content deletion/additions/revisions and more.

There’s hope! You can dramatically harden the security of your cookies simply by creating secret keys. The result is much harder to crack delicious tidbits of data. You don’t need to remember or keep track of these keys, making this a painless technique that can be completed in less than 5 minutes. We recommend changing these secret keys every 30 to 60 days.

WordPress has four secret keys you’ll be creating: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY and 4 SALTS that are optional. Let’s get started…

Step 1

FTP into your web server and open your wp-config.php file. Scroll down to line 49 to find this:

Screen capture. wp-config with no security keys

You’ll be placing your secret keys and SALTS where it says ‘put your unique phrase here’. Make sure you keep the single quotes around your keys.

Step 2

Now, automatically generate unique, random keys by visiting https://api.wordpress.org/secret-key/1.1/salt/, WordPress’ simple random secret key generator.

Screen capture of a Secret key generator

Step 3

Copy and paste secret keys and SALTS into wp-config.php and save your file back to your server.

Screen Captue: wp-config.php with security keys

We’re all done! Congratulations, you just prevented one of the easiest ways your WordPress powered site can be hacked. Looking for more ways to harden your WordPress site? Here’s 17 ways to harden your WordPress security.

Also published on Medium.