Dont forget to generate your wordpress secure cookie keys !

Hey All just a quick post on WordPress authentication keys

You may have noticed that in the newer versions of WordPress that in the WP-config.php file there is a block of code asking for key passphrases.

That is to support encrypted cookies for your users when they login if you don’t generate the keys what happens is that the cookies on the site are passed unencrypted. Even with HTTPS/SSL WordPress uses cookies to maintain the login session if an attacker gets a hold of the users cookie and your site does not encrypt it the attacker can use that gain access to the account provided the cookie/session has not expired. To add this layer of security just follow this simple step

Go over to your wp-config.php file you will see this following block
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);

Now go over to https://api.wordpress.org/secret-key/1.1/salt/

This is an API created by WordPress that gives you a salted key set this is what it looks like

Once you have your key pairs simply copy and paste the configuration into your wp-config.php file then restart the web server to ensure the changes take effect. You may notice that if you were logged in before that you will be asked to log in again this is normal.

Please let me know if you have any questions!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.