DiggingIntoWordPress

by Chris Coyier & Jeff Starr

WordPress Security Keys

Posted by on

In our recent post on pimping the wp-config.php file, we explain that using strong Security Keys is an important part of securing your WordPress installation. In this post, we want to zoom-in on Security Keys and look at what they are, how they work, and how to use them to greatly improve the security of your site.

Eight keys, one file, one step..

In a nutshell, WordPress Security Keys refer to four authentication keys and four hashing salts (random bits of data) that work together to add an extra layer of security to your cookies and passwords. Security Keys exist as single-line definitions in your WordPress configuration file, the honorable wp-config.php.

WordPress Security Keys work OK out-of-the-box, but require a bit of customization to make them super-strong. As of WordPress 3.0, there are eight security keys, introduced in the following versions:

  • WordPress 2.6: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY
  • WordPress 2.7: NONCE_KEY
  • WordPress 3.0: AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT

These eight Security Keys are located in your wp-config.php file just after the database credentials. They have their own little section that looks like this:

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

/**#@-*/

As it says in the code comments, you want to replace these default keys with long sequences (60+) of random/unique characters. Each key needs to be completely random and different from the others. You can either do this manually or visit the online secret-key service for automatic key-generation. When you visit the key service, you’ll get something similar to this:

define('AUTH_KEY',         'pK/7r(|,BK+X=|dzrK}Y|ttP%+8u<$so#|`zUrA*RIxNSfgo$-w|UrQ#)RR8+DEz');
define('SECURE_AUTH_KEY',  ')|IL/>/**t|;6/z,LMC3xs>X5#+,?>ZH#>2F8ik|LziZhk+YogW<h?n^O2W|_I?K');
define('LOGGED_IN_KEY',    'w3+SAaRLl]22i{|#-7>76i>qHV-P5d<{Q3tRh5D2|<L>XKHpbD-I@(51Rd2W|Z#7');
define('NONCE_KEY',        'SPD.R?ynL?qf|NXW#n(jO%kmz=]_+n|DiHrN549u>Ea{v!${-9lhoZ#.z7k(85n:');
define('AUTH_SALT',        '|6f>K{-aje<<FUp{N(s-NOh-}/g&+10/V]1Z7RP*IV6u3SRi-=M*Hf8:L$|.0Nwp');
define('SECURE_AUTH_SALT', 'mo>b+| dr(mY??KSkZe[dOmuoAu|qla<4q]>=EY;6&-YXt#:],T<)0FJuc9FdwtG');
define('LOGGED_IN_SALT',   '*8u:v_n,-L`FJ+qyE*fm`kzw|G%m!B^J|!8?]kK?,#5vO2#*f~PL=|tw?Chg+{o)');
define('NONCE_SALT',       '7+%dZ!tcm{2K+l(JPL7d<-B;.Jb7Cx.lj%9xQ|(ftY*|1+Qgl6q*m%L,n<.8?WXI');

Just copy/paste the entire block of code and replace the eight default keys with the eight random keys. With this step complete, your WordPress Security Keys are providing strong security for your site’s cookies and passwords. Of course, there are many other ways to optimize your wp-config.php file if you enjoy that sort of thing ;)

Some Notes on WordPress Security Keys and Salts

So far we need to remember only one thing: replace the default Security Keys with random ones. Simple yes, but there are a few additional things to keep in mind when setting your keys:

  • Security Keys may be changed (or added) at any time
  • Any logged-in users will need to log in again after changing your keys
  • The default set of eight Security Keys is also available in the wp-config-sample.php file
  • Never reveal your Security Keys to anyone – never post them online

Also keep in mind that wp-config.php is normally not modified when updating WordPress. The wp-config-sample.php is replaced, so you can use it for reference if needed. If you’re running WordPress 3.0 and see fewer than eight security keys, it’s totally safe to replace what you have with a complete set. Other than logged-in users needing to log in again, your more-secure WordPress installation will roll on without skipping a beat.

9 Responses

  1. SECRET_KEY and SECRET_SALT were introduced in 2.5. In 2.6, WordPress introduced better wp-admin SSL support and also separate cookies for the frontend and admin. Thus the two original defines were replaced with AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY, and three corresponding salts.

    NONCE_KEY and NONCE_SALT were separately introduced in 2.7.

    In 3.0, we added some code to fetch and pre-fill secret keys during the wp-config creation process (wp-admin/setup-config.php). As part of that, we decided to add the defines for the salts to the sample wp-config file as well.

    Not having the salt definitions does not make your install less secure, however. Without them, salts are generated for you and stored in the database. We just added and pre-filled them for inclusiveness. So if you just have the four keys, you’re fine.

    • Jeff Starr

      Thanks for fleshing out the development specifics. The information in the article corresponds to the security-key section in the WordPress Codex, which may need updating. Specifically it says:

      AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT were added later with Version 3.0.

      Also want to emphasize that it’s the four salts that are unnecessary – the four keys are required for a site to benefit from the added security.

  2. If you’re running WordPress 3.0 and see fewer than eight security keys, it’s totally safe to replace what you have with a complete set.

    You may want to warn people that doing so can bork their cookies, and they’ll have to log out, flush cookies, and log back in :)

  3. Deepesh Chetariyil September 10, 2010

    thanks for the tip !

  4. why don’t WordPress just generate random values of 8 keys automatically after the installation complete

    i think it will make WP more secure at default installation…

    • It does exactly that.

      Only if you set up your wp-config manually, or haven’t updated your wp-config file with new keys for a few versions, will this be of use.

Comments are closed. Contact us with any critical information. Thank you!

Code is poetry