How To Set up secret keys in WordPress 2.6+
I have been a security freak for all of my websites. A few of my websites have been hacked in the past, and I hate the period. I have written in the past a post about how to protect your blog from hackers. Today I will talk about another key thing that WordPress have which makes it a lot more secure than people think.
A client recently told me that WordPress is an open source software hence not secure. Obviously understandable from someone who does not know anything about wordpress. Yes a lot of open source softwares have some security issues, but wordpress is getting stronger and stronger after each release.
In the release of wordpress 2.6 and onward they have included this feature of secret keys. Which adds an extra layer of security to your blog and make it more secure. In order to do this you would have to open your: wp-config.php file, and right after the other define tags add the following:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
You’ll find these lines in the wp-config-sample.php file as well.
These three unique phrases should be random. Anything 60+ characters and relatively random will work. They should each be different. In other words, you need three phrases, not one.
Note that doing this will invalidate all your login cookies, so everybody on your site will have to re-login, but doing it will greatly increase the cookie strength of WordPress 2.6. This means that your login cookies, if intercepted, won’t be able to be reproduced as easily. It also means that somebody who gains read-only access to your database through some other means won’t be able to login to your site.
** DO NOT SHARE YOUR SECRET KEYS BECAUSE THEN THEY WON’T BE SECRET **
Hey, I am Syed Balkhi, The guy who is behind Balkhis Inc. I entered the industry back in 2002 not knowing a single thing. I barely spoke English at that time. In the past six years, my language barrier has been eliminated. Aside from English, now I also speak html, and php. Along with the languages I have also managed to master a few arts. Art of web-designing started when I first entered. Messing around with photoshop, I learned how to create my first web design. Now I founded a web designing firm Uzzz Productions. After running numerous amount of websites in various niche, I have mastered the art of web-development. Now I am compiling a resource of what I already know, and what I am learning on this blog. This resource is to help me if I ever need a guide to look back to, and it is help my fellow webmasters.
Thank you for this good advise.
Anything similar to this for Blogger?
I think that problem is really actual,the recommended tips might be useful.
Thank you for helpful advice
Thanks for this Syed. I’ve never been hacked but that doesn’t mean i should keep my site safe!
Thanks for sharing. WordPress is pretty unsecure system, and we have seen many hacks in past. So every new step in making it more secure is very useful.
Hmm… I didn’t know anything about that. Thanks!
I am not aware of secret keys in wp 2.6 or 2.7 version. Great finding there.
Thanks for the information. I’ve seen that before but didn’t know how to use.
Haven’t done this yet so will head over to all my blogs and do it, thanks for the tip!
Hmm a really nice find, especially for the big money making blogs. This should definitely be a must.