Make WordPress Blog More Secure Using Secret Key

A new security feature has been added since WordPress 2.5 and all future versions (including WordPress 2.5.1 that just been released). The Secret Key is been added to wp-config.php file to enhance the security passwords used by WordPress blog, or more specifically the password hashing and cookie security.

If you check out the wp-config-sample.php comes with WordPress 2.5 or later, there is a new lines that indicates the new option added in WordPress 2.5

// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

The Secret Key, when definied in wp-config.php file, is used a s a ’seed’ to create and generate a hard-to-guess and individually unique random number when calculating hash value for WordPress to encrypt password, especially on cookie authentication. Comparing with when every blog has the same ’seed’ (no Secret Key), by using a different Secret Key which is different and unique for each blog, it reduces that possibility that hackers may crack the passwords, or almost impossible to crack.

Thus setting up a Secret Key is highly recommended to increase the security protection of the blog. To set up the Secret Key, simply modify the line (or add in the line if you’re upgrading to WordPress 2.5) in wp-config.php file:

define(’SECRET_KEY’, ‘put your unique phrase here’);

Change the ‘put your unique phrase here’ to a long, strong and random mixed character strings. Length is not restricted, but it’s recommended to put the phrase to be longer than 60 characters. The key is ‘random’, which means mixing around upper and lower case, special characters, punctuation marks, and numbers to a most complex string is the best. For not random string, it may be possible for an attacker to brute force the default WordPress SALT generation process to gain access to your blog.

If you’re not creative enough, WordPress has a random secret key auto generator that generates a completely random key for user. To use it, simply to to this URL:

http://api.wordpress.org/secret-key/1.0/

Then just copy and paste the entire line to replace the existing line in wp-config.php (or insert it into wp-config.php if you’re using pre-WordPress 2.5 wp-copnfig.php.

After adding in the secret-key, all login session will be invalidated, and every users will have to re-login again.

Related Articles

• How to SEO Optimize WordPress 2.5 Blog Web Page Title Without Optimal Title Plugin
• How to Fetch and Show RSS Feeds on WordPress Blog (Atom/RSS Aggregator Plugins)
• WordPress 2.5.1 Released for Download
• Call to Undefined Function: wp_constrain_dimensions() When Uploading Images or image_downsize() in Gallery/Media Library in WordPress 2.5
• Embed PowerPoint Presentation Files in Blog or Website With Web-Based Service authorSTREAM
• Call To Undefined Function: ctype_digit() in WordPress 2.5
• Call to Undefined Function get_currentuserinfo() Error in WordPress
• PHP Fatal Error on Call to Add_Query_Var in Taxonomy.php After Upgrading to WordPress 2.5 RC2
• WordPress 2.5 RC2 Released for Download
• Remove Password and Unlock Protected PDF Which Allowed To Be Printed Without Knowing Secret

This entry was posted on Monday, May 19th, 2008 at 1:29 am and is filed under Web Publishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.