Using unique WordPress authentication keys and sales is very important to ensure a more secure WordPress. Also known as the WordPress security keys, they are used by WordPress to ensure better encryption of information stored in a user’s cookies when logged in to a WordPress website or blog. They also have better support for when visiting the WordPress dashboard over SSL.
This article explains what the WordPress unique authentication keys and salts (WordPress security keys) are, how they work and how to configure them.
How are the Authentication Unique Keys and Salts Used?
Like with almost any other web application, when you login to WordPress it creates a number of cookies on your computer. Two of the cookies created are:
- wordpress_[hash]
- wordpress_logged_in_[hash]
The first cookie is used only in the admin pages (WordPress dashboard) while the second cookie is used throughout WordPress to determine if you are logged in to WordPress or not. Note: [hash] is a random hashed value typically assigned to your session, therefore in reality the cookies name would be something like wordpress_ffc02f68bc9926448e9222893b6c29a9.
WordPress stores your authentication details (i.e. WordPress username and password) in both of the above mentioned cookies. The authentication details are hashed, hence it is almost impossible for anyone to reverse the hash and guess your password through a cookie should it be stolen. By almost impossible it also means that with today’s computers it is practically unfeasible to do so.
The authentication details in these cookies are hashed using the random pattern specified in the WordPress security keys.
What are WordPress Security Keys and Salts?
WordPress security keys are made up of four authentication keys and four hashing salts (random data) that when used together they add an extra layer to your cookies and passwords. Below is a screenshot of already configured WordPress security keys in the wp-config.php file (do not use the below sample for your installation):
If the WordPress security keys are not yet configured, they look as per the below screenshot in the wp-config.php file:
A Little Bit of WordPress Security Keys History
There are 8 WordPress security keys but not all of them have been introduced at the same time. Below is a list highlighting when each of the key or salt has been introduced:
- WordPress 2.6: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY
- WordPress 2.7: NONCE_KEY
- WordPress 3.0: AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT
Configuring WordPress Security Keys
To configure the WordPress security keys in wp-config.php file, follow the below procedure:
- Open the WordPress wp-config.php file
- Search for Authentication Unique Keys and Salts. This section should be just after the database credentials unless you moved the database credentials out of your wp-config.php file.
- Specify a random value of 60+ unique characters for each key and salt by replacing put your unique phrase here. You can use the online WordPress security key generator for automatic generation of the keys.
- If you are using the online WordPress security key generator, simply copy the entire block of code and replace the eight default keys values in your wp-config.php file.
- Save the wp-config.php file.
WordPress Authentication Unique Keys and Sales Notes
- You do not need to remember the WordPress security keys values. You only configure them once in the wp-config.php file and can forget about them.
- Any logged in users will need to login again to WordPress if the WordPress security keys are changed when they are logged in.
- Never disclose your WordPress security to anyone or post them online.
- WordPress security keys can be changed at any time.
- The wp-config.php file is not modified when updating WordPress, hence you might have less security keys and salts in your wp-config.php file. If that should be the case you can safely specify the 8 new keys. Use the wp-config-sample.php file as a reference.
Improved WordPress Security
Configuring WordPress security keys is a very important step of securing your WordPress. Also should you ever doubt that your WordPress cookies have been stolen and your session is hijacked, change the WordPress security keys so the attacker’s cookies are invalidated and cannot be used to hijack your account.
8 comments
i have two files… one is config.php and the other one is config-sample.php… please let me know which one to change….
Hi Abhi,
The config-sample.php is used by WordPress during the installation to generate a new config file, so it can be deleted. Use wp-config.php file.
Im trying to configure some software that posts to wordpress.
It is asking me for a Key and a Secret.
Im assuming I can use the AUTH_KEY but not sure where to find the Secret.
Any advice?
Hello Luis,
It depends on what software it is and what you have configured on your WordPress (2FA maybe?) but I doubt it is the AUTH_KEY. You can send us an email on support@wpwhitesecurity.com and we can assist you.
Thank you for providing this excellent post with helpful information. WP security keys and salts can also now be updated automatically using the handy Salt Shaker plugin (https://wordpress.org/plugins/salt-shaker/).
Thanks for letting us know about the plugin Kenny! Seems like a good one.
Hi, should I update default generated keys? or just if they are not configured?
No there is no need to update the keys that are generated by WordPress since they are randomly generated with every new install.