WordPress Security Keys
In our recent post on pimping the wp-config.php file, we explain that using strong Security Keys is an important part of securing your WordPress installation. In this post, we want to zoom-in on Security Keys and look at what they are, how they work, and how to use them to greatly improve the security of your site.
Eight keys, one file, one step..
In a nutshell, WordPress Security Keys refer to four authentication keys and four hashing salts (random bits of data) that work together to add an extra layer of security to your cookies and passwords. Security Keys exist as single-line definitions in your WordPress configuration file, the honorable wp-config.php.
WordPress Security Keys work OK out-of-the-box, but require a bit of customization to make them super-strong. As of WordPress 3.0, there are eight security keys, introduced in the following versions:
- WordPress 2.6:
AUTH_KEY,SECURE_AUTH_KEY,LOGGED_IN_KEY - WordPress 2.7:
NONCE_KEY - WordPress 3.0:
AUTH_SALT,SECURE_AUTH_SALT,LOGGED_IN_SALT,NONCE_SALT
These eight Security Keys are located in your wp-config.php file just after the database credentials. They have their own little section that looks like this:
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
/**#@-*/As it says in the code comments, you want to replace these default keys with long sequences (60+) of random/unique characters. Each key needs to be completely random and different from the others. You can either do this manually or visit the online secret-key service for automatic key-generation. When you visit the key service, you’ll get something similar to this:
define('AUTH_KEY', 'pK/7r(|,BK+X=|dzrK}Y|ttP%+8u<$so#|`zUrA*RIxNSfgo$-w|UrQ#)RR8+DEz');
define('SECURE_AUTH_KEY', ')|IL/>/**t|;6/z,LMC3xs>X5#+,?>ZH#>2F8ik|LziZhk+YogW<h?n^O2W|_I?K');
define('LOGGED_IN_KEY', 'w3+SAaRLl]22i{|#-7>76i>qHV-P5d<{Q3tRh5D2|<L>XKHpbD-I@(51Rd2W|Z#7');
define('NONCE_KEY', 'SPD.R?ynL?qf|NXW#n(jO%kmz=]_+n|DiHrN549u>Ea{v!${-9lhoZ#.z7k(85n:');
define('AUTH_SALT', '|6f>K{-aje<<FUp{N(s-NOh-}/g&+10/V]1Z7RP*IV6u3SRi-=M*Hf8:L$|.0Nwp');
define('SECURE_AUTH_SALT', 'mo>b+| dr(mY??KSkZe[dOmuoAu|qla<4q]>=EY;6&-YXt#:],T<)0FJuc9FdwtG');
define('LOGGED_IN_SALT', '*8u:v_n,-L`FJ+qyE*fm`kzw|G%m!B^J|!8?]kK?,#5vO2#*f~PL=|tw?Chg+{o)');
define('NONCE_SALT', '7+%dZ!tcm{2K+l(JPL7d<-B;.Jb7Cx.lj%9xQ|(ftY*|1+Qgl6q*m%L,n<.8?WXI');Just copy/paste the entire block of code and replace the eight default keys with the eight random keys. With this step complete, your WordPress Security Keys are providing strong security for your site’s cookies and passwords. Of course, there are many other ways to optimize your wp-config.php file if you enjoy that sort of thing ;)
Some Notes on WordPress Security Keys and Salts
So far we need to remember only one thing: replace the default Security Keys with random ones. Simple yes, but there are a few additional things to keep in mind when setting your keys:
- Security Keys may be changed (or added) at any time
- Any logged-in users will need to log in again after changing your keys
- The default set of eight Security Keys is also available in the
wp-config-sample.phpfile - Never reveal your Security Keys to anyone – never post them online
Also keep in mind that wp-config.php is normally not modified when updating WordPress. The wp-config-sample.php is replaced, so you can use it for reference if needed. If you’re running WordPress 3.0 and see fewer than eight security keys, it’s totally safe to replace what you have with a complete set. Other than logged-in users needing to log in again, your more-secure WordPress installation will roll on without skipping a beat.
About the author
Jeff Starr is a professional web developer and book author with over 15 years of experience. Jeff works with WordPress every day, designing themes, developing plugins, and securing sites. His books include Digging Into WordPress, WordPress Themes In Depth, and The Tao of WordPress.
9 responses
-
Andrew NacinSECRET_KEY and SECRET_SALT were introduced in 2.5. In 2.6, WordPress introduced better wp-admin SSL support and also separate cookies for the frontend and admin. Thus the two original defines were replaced with AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY, and three corresponding salts.
NONCE_KEY and NONCE_SALT were separately introduced in 2.7.
In 3.0, we added some code to fetch and pre-fill secret keys during the wp-config creation process (wp-admin/setup-config.php). As part of that, we decided to add the defines for the salts to the sample wp-config file as well.
Not having the salt definitions does not make your install less secure, however. Without them, salts are generated for you and stored in the database. We just added and pre-filled them for inclusiveness. So if you just have the four keys, you’re fine.
-
Jeff Starr Post AuthorThanks for fleshing out the development specifics. The information in the article corresponds to the security-key section in the WordPress Codex, which may need updating. Specifically it says:
AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT were added later with Version 3.0.
Also want to emphasize that it’s the four salts that are unnecessary – the four keys are required for a site to benefit from the added security.
-
Andrew Nacin
Sounds about right. I’ll go through and correct that page. Thanks!
-
Andrew Nacin
Salts were added to that Codex page only a few days ago. I’ve made some changes and that section should now be accurate.
-
-
-
IpstenuIf you’re running WordPress 3.0 and see fewer than eight security keys, it’s totally safe to replace what you have with a complete set.
You may want to warn people that doing so can bork their cookies, and they’ll have to log out, flush cookies, and log back in :)
-
Jeff Starr Post Author
Very true, and mentioned at least twice in the article :)
-
-
Deepesh Chetariyilthanks for the tip !
-
why don’t WordPress just generate random values of 8 keys automatically after the installation complete
i think it will make WP more secure at default installation…
-
Andrew Nacin
It does exactly that.
Only if you set up your wp-config manually, or haven’t updated your wp-config file with new keys for a few versions, will this be of use.
-
