What is WordPress Secret Keys and Salt

With the recent attacks of counter-wordpress malware, I did a lot of work to make sure that Makewebworld is safe and secure for our visitors.

I also went ahead and did an article on How to remove counter-wordpress malware and just by seeing the number of visitor for that article I can say it helped few people recovering their blogs and make it safe.

One of the things was to change WordPress Secret Keys and Salt to make it more safe after that attack, So I thought of doing this post to give more exposure to this feature.

Image: jannoon028

It is an added security measure, which will help making the blog more secure.

It will look like this in wp-config.php file (Below are the sample keys and salt, do not use them in your blog).

define(‘AUTH_KEY’,          ‘t`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|’);
define(‘SECURE_AUTH_KEY’,   ‘D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj’);
define(‘LOGGED_IN_KEY’,     ‘MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^’);
define(‘NONCE_KEY’,         ‘FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe’);
define(‘AUTH_SALT’,         ‘7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G’);
define(‘SECURE_AUTH_SALT’, ‘I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #’);
define(‘LOGGED_IN_SALT’,    ‘w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i’);
define(‘NONCE_SALT’,        ‘a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<I44`jAbup]t=]V<`}.py(wTP%%’);

What is Security Key

In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. It is a random generated key which should not be disclosed in any means.

In the current version of WordPress there are 4 security Keys named AUTH_KEY, SECURE_AUTH_KEY, NONCE_KEY and LOGGED_IN_KEY. These 4 keys are required.

You can have any random character string as a key, If you are unsure than a random key generator from WordPress can help you on this.

These keys will be used to sign the cookies for your site.

• LOGGED_IN_KEY – It will be used to generate a cookie for a logged in user and this cookie can’t be used to make changes on the blog.
• SECURE_AUTH_KEY – It is used to sign an auth cookie for SSL admin and these cookie can be used to make changes on blog. (With the new version there will be two type of auth cookie one for SSL and other for non-SSL)
• AUTH_KEY – It is used to sign the auth cookie for the non-SSL. These can also be used to make changes on blog.
• NONCE_KEY – It is used to sign the nonce key which protects the nonces from being generated, protecting you from certain forms of attacks where a hacker attempts to guess the nonce.

What is Salt

Salt is an addition to the secret keys. They works with the keys.

As according to the keys there are 4 salts named as AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT.

You don’t need to define them, but it is a good practice to have them in your wp-config.php file. If you don’t define those than WordPress will generate it automatically.

These can also be a random complex string and you can define them either by yourself or through the online random key generator.

How you will change the WordPress Secret Keys and Salt

You should change those sample phrases to unique, preferably random phrases.  Each key phrase should be different.

Visit https://api.wordpress.org/secret-key/1.1/salt/ to get a set of random keys and salt, which can be cut-and-paste into your wp-config.php.

So when you have an issue with your site, you can go ahead and change your WordPress Secret Keys and Salt. This will invalidate all the cookies setup for your site and all users have to login again to get access to your site.

What is your opinion about the WordPress Secret Keys and Salt, Do you change them in case of attacks and issues. Share us through Comment Section.