May 19, 2008
Tip and Trick Editorial

Make WordPress Blog More Secure Using Secret Key

A new security feature has been added since WordPress 2.5 and all future versions (including WordPress 2.5.1 that just been released). The Secret Key is been added to wp-config.php file to enhance the security passwords used by WordPress blog, or more specifically the password hashing and cookie security.

If you check out the wp-config-sample.php comes with WordPress 2.5 or later, there is a new lines that indicates the new option added in WordPress 2.5

// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

The Secret Key, when definied in wp-config.php file, is used a s a ‘seed’ to create and generate a hard-to-guess and individually unique random number when calculating hash value for WordPress to encrypt password, especially on cookie authentication. Comparing with when every blog has the same ‘seed’ (no Secret Key), by using a different Secret Key which is different and unique for each blog, it reduces that possibility that hackers may crack the passwords, or almost impossible to crack.

Thus setting up a Secret Key is highly recommended to increase the security protection of the blog. To set up the Secret Key, simply modify the line (or add in the line if you’re upgrading to WordPress 2.5) in wp-config.php file:

define(‘SECRET_KEY’, ‘put your unique phrase here’);

Change the ‘put your unique phrase here’ to a long, strong and random mixed character strings. Length is not restricted, but it’s recommended to put the phrase to be longer than 60 characters. The key is ‘random’, which means mixing around upper and lower case, special characters, punctuation marks, and numbers to a most complex string is the best. For not random string, it may be possible for an attacker to brute force the default WordPress SALT generation process to gain access to your blog.

If you’re not creative enough, WordPress has a random secret key auto generator that generates a completely random key for user. To use it, simply to to this URL:

Then just copy and paste the entire line to replace the existing line in wp-config.php (or insert it into wp-config.php if you’re using pre-WordPress 2.5 wp-copnfig.php.

After adding in the secret-key, all login session will be invalidated, and every users will have to re-login again.

Pin It on Pinterest

Share This

Share This

Share this post with your friends!