This tutorial is part of our tutorial series on WordPress Security. In this tutorial, you will learn what WordPress security keys are and how they are used to keep your WordPress site secure.
WordPress Security Keys
When users log into WordPress, their login session information is stored in their web browser by way of web browser cookies (as opposed to being stored in the website’s server).
As storing any kind of information in a web browser represents a potential security risk, WordPress needs to use a secure method to manage login sessions.
Typically, most login usernames and passwords tend to be simple strings of characters, and so, if all the browser cookies did was to store these login details without any added security layers, a username/password combination would be easily broken.
To make the information stored in browser cookies harder to crack, WordPress uses ‘Security Keys’ (also referred to as ‘Secret Keys’) to add more complex layers of security to your site.
What Are Security Keys?
WordPress Security Keys are a set of random strings of text and numbers that improve the security of your WordPress site by improving the way information is encrypted and stored in users’ cookies.
The screenshot below shows an example of what WordPress ‘secret keys’ look like …
The long random strings used to calculate the cookie hash in the screenshot above are the WordPress Security Keys. These keys are configured in your wp-config.php files.
WordPress uses four security keys:
As stated in the official WordPress site …
A secret key makes your site harder to hack by adding random elements to the password.
In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, unpredictable password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination. A ‘salt is used to further enhance the security of the generated result.
The four keys are required for the enhanced security. The four salts are recommended, but are not required, because WordPress will generate salts for you if none are provided. They are included in wp-config.php by default for inclusiveness.
(Source: WordPress Codex)
Note that the above also refers to something called ‘salts’.
According to Wikipedia …
A salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks and pre-computed rainbow table attacks.
A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. Hashing allows for later authentication while defending against compromise of the plaintext password in the event that the database is somehow compromised.
Cryptographic salts are broadly used in many modern computer systems, from Unix system credentials to Internet security.
‘Salts’ are important because they make WordPress ‘Security Keys’ even harder to crack. If these salts are compromised, the security behind WordPress authentication is significantly weakened.
In fact, according to a WordPress code expert, it’s 200,000,000,000,000,000,000,000,000,000,000 times easier to hack into the WordPress authentication cookie if you know the keys.
Using ‘Secret Keys’ and ‘Salts’, therefore, significantly increases the security of your WordPress sites.
How To Use WordPress Security Keys
Adding WordPress security keys is a very simple and easy process.
Note: You will need to have access to your wp-config.php file (located in your WordPress installation folder where all of your other WordPress folders and files are stored) and know how to use FTP.
All you have to do to create WordPress security keys is to make them long, random and complicated.
You don’t have to remember the keys, just use the online secret key generator located here:
The online Secret Key generator tool is very simple. As soon as you visit the URL above, a completely random set of security keys will be generated …
To generate a new set of random characters, refresh your browser …
And a new set of security keys will be generated …
Once you have generated your security keys, copy everything and save it to a plain text file. You will need these in just a moment.
The next step is to add them to your wp-config.php file.
Adding Security Keys To Your WP Config File
If you are changing the security keys for an active WordPress site, launch your FTP application and locate the WordPress installation files on your server …
Editing the wp-config file incorrectly can destroy your WordPress site permanently!
Make a back up of your wp-config.php file before editing the file. This way, if something goes wrong with the edited file, you can replace it with the original copy of the file and recover your site.
Open the file using a plain text editor like Notepad, then scroll down the file until you find the ‘Authentication Unique Keys and Salts’ section …
Select the entire section from define(‘AUTH_KEY’ … to the very last symbol of the define(‘NONCE_SALT’ ….); line and replace this section with your new security keys …
Save your wp-config.php file and reupload it to your server, overwriting the old wp-config.php file.
Typically, you would also add the security keys to your wp-config.php file when installing or re-installing WordPress manually.
If so, you will need to download the latest copy of the WordPress installation files from WordPress.org, then extract and locate the “wp-config-sample.php” file inside the folder containing the WordPress installation files you have extracted …
Rename this file to “wp-config.php” by clicking on the file name and deleting “-sample” …
You will need to insert the Secret Keys and Salts into this file.
If you already have your keys, then use these – you should have copied them to a text file.
If you haven’t obtained your security keys yet, copy the URL of the online secret key generator shown inside the file and paste it into your browser to visit the WordPress secret-key service generator site and get your unique authentication keys …
Select and copy everything to your clipboard as shown in the screenshot below …
Go back to your “wp-config.php” file. Select the entire template section and replace it with the contents of your clipboard …
Once you have pasted the new values into your file, check to make sure that everything is ok, then resave and close the “wp-config.php” file …
Save your wp-config.php file, and you are done.
To learn how to add Security Keys when installing WordPress, see the tutorial below:
Security Keys – Additional Information
- For the sake of keeping your WordPress site secure, it’s recommended that you change the security keys on your site every so often.
- You don’t need to remember or store the security keys. Once you have added this information to the wp-config.php file you are done.
- If you are logged into your WordPress admin panel when performing the security key operations described above, then you will be asked to log back into your site again.
- You can change security keys at any point in time to invalidate all existing cookies. If you do this, all users will need to login again.
"This is an awesome training series. I have a pretty good understanding of WordPress already, but this is helping me to move somewhere from intermediate to advanced user!" - Kim Lednum