Secure WordPress with secret keys

If your WordPress blog have been compromised before, it is necessary for you to the further enhanced the security by using the WordPress security keys feature ready build inside the ‘wp-config.php’ file.

In Version 2.6, three (3) security keys, AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY, were added to insure better encryption of information stored in the user’s cookies. (These collectively replaced a single key introduced in Version 2.5.)

In Version 2.7 a fourth key, NONCE_KEY, was added to this group. When each key was added, corresponding salts were added: AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT.

You don’t have to remember the keys, just make them long, random and complicated or better yet, use the the online generator that will save you a lot of trouble trying to come up with your own random keys. You can change these at any point in time to invalidate all existing cookies. This does mean that all users will have to re-login again.

In your ‘wp-config.php’ file, edit it by adding your random keys inside (‘ ‘) area.

Example (replace the ‘put your unique phrase here‘ with your own secret keys):

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

A secret key makes your WordPress site harder to hack and access and makes it even harder to crack by adding random elements/characters to the password.

In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, unpredictable password such as “|!G$OX!Iz3~tsF-Sde5yK@h:F?!#(v3,a% {VO&^`!V0Vya@9YeQ6?}5Z+iPV%0{q” takes years to come up with the right combination. A ‘salt‘ is used to further enhance the security of the generated result.

The four keys are required for the enhanced security. The four salts are recommended, but are not required, because WordPress will generate salts for you if none are provided. They are included in ‘wp-config.php’ by default for inclusiveness.

If you do mess up the installation and deleted the ‘wp-config.php’ file, you can always use the online key generator to create your secret keys again.

This step is simple enough to follow but if readers having problem with their ‘wp-config.php’ file, I’ll be gladly to help. Just comment and I’ll respond to it.

Secure WordPress with secret keys

Leave a Reply