About the “Warning! WordPress Encrypts User Cookies” Error

Upgrading from older versions of WordPress is designed to go without a hitch, but depending on the setup and the two versions involved, you may encounter some hangups along the way. For example, if you are upgrading from a version of WordPress older than 3.0, eventually you may encounter the dreaded “Warning! WordPress Encrypts User Cookies” error. This quick DigWP tutorial explains what it is, why it happens, and how to fix the problem asap.

The error message

For those who are experiencing this “encrypted cookie” issue, the error message that’s displayed looks something like this:

Warning! WordPress encrypts user cookies …

This error happens when trying to log in or when you try to do things in the Admin Area. Basically you keep getting logged out for no apparent reason.

Why it happens

Fortunately there is an easy solution for the “WordPress Encrypts User Cookies” error. Open your site’s wp-config.php file. Scroll down the file to just after the database credentials. Depending on your version of WordPress, you should find something like this:

/**#@+
 * Authentication Unique Keys and Salts.
 *

..followed by a set of 3, 4, or 8 (depending on WP version) constant definitions. For example, in the latest version of WordPress (5.0), there are EIGHT Unique Keys and Salts, waiting to be filled with random characters:

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

The problem is that the number of these keys has changed along with WordPress. For those with better things to do, here is a brief history:

WordPress < 2.6

WP 2.6 has no secret keys:

[ none ]

WordPress 2.6

WP 2.6 has three secret keys:

define('AUTH_KEY',        'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY',   'put your unique phrase here');

WordPress 2.7 — 2.9

WP 2.7 thru 2.9 have four secret keys:

define('AUTH_KEY',        'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY',   'put your unique phrase here');
define('NONCE_KEY',       'put your unique phrase here');

WordPress >= 3.0

Versions of WP greater than or equal to 3.0 have eight secret keys:

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

What does this mean? It means that when you upgrade from an older version of WordPress, the number of Unique Keys and Salts may not be the same. And so, if the latest version of WordPress is expecting eight secret-key constants, but your site’s wp-config.php only contains four constants, you’re gonna get the “WordPress Encrypts User Cookies” error.

The solution

To resolve the “encrypts cookie” error, you need to update your site’s Unique Keys and Salts (secret keys), so as to provide the correct number of key constants. So if your old WP site only has three key constants, and you upgrade to WordPress 5.0, you will need to add the five missing constants (for a total of eight), so that WordPress can operate normally and without error.

Example: Upgrade from any version of WP, to the latest version of WP

If you are upgrading from any version of WP to the latest version, you can fix the error by simply replacing your existing secret keys with a brand new set. To do so, visit the WordPress Keys & Salts Generator, copy the results, and replace your existing keys with the freshly generated code. Then save changes, upload to your server and done. Once the new, complete set of keys is added, the encrypted-cookie error will disappear.

Other upgrade paths

As explained previously, your site’s wp-config.php file should have the same number of constants that is expected by WordPress. Although ideally everyone everywhere always would update to the latest version of WordPress, we know that’s just not a realistic expectation.

So for any other “non-latest” upgrade path that you may be taking, just make sure that your new version of WordPress has the correct number of secret keys defined. Check out the previous section for a list of WP versions and their respective number of Unique/Key salts.