WordPress Security Keys – What, Why & How

What are they?

The WordPress security keys are eight random strings of characters, used to beef up the security of your cookies and passwords. More accurately, there’s four security keys and four corresponding salts – salts are extra strings that make it harder to crack passwords by adding extra pieces to them.

Why use them?

All too often, people use incredibly simple passwords that are easy to crack by using brute force attacks. WordPress security keys help to encrypt information in users’ cookies more securely, making your installation much more secure. They are not a substitute for creating a good password however and you should still employ sound password-creating practices such as including combinations of upper-case and lower-case letters, symbols, punctuation and numbers.

In short, security keys are like an extra bolt on the door – just one more thing to break in order to gain access.

How to use them

Adding security keys to your WordPress installation is actually a fairly simple task, so long as you are confident editing a PHP file.

All you need to do is find your wp-config.php in the root of your installation and open it for editing. Look around for the following piece of code:

* Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

The next step is to create the unique phrases for each key and salt. You are welcome to try and create them yourself, however, the more random they are, the better and a computer is far better at being random than a human. It’s also easier for a computer to create 8 60-character strings than for you, so just save yourself the trouble and use the simple key and salt generator, a free tool provided by WordPress.

Once you arrive at that page, all you have to do is copy the entire page contents and replace the eight lines of code in wp-config.php with those created for you by the generator. An example of the code that you will be presented with is:

define('AUTH_KEY',         '8NhUy4z!=Xscgm7ZT%~dO(UDsOmT<Up)iq-{=Ot}B+;|?kzPS5(S:7!-@FBo|u]N');
define('SECURE_AUTH_KEY',  'k:P5|=7)GnQ9i%:-hC9ekn5e-c~!+=;d@2{]KN|ohMJYUH6|GV|K^[u95I/&!IXE');
define('LOGGED_IN_KEY',    '~Dx0|g~`D@N``7B}xFP?a{$oSM_B,,~,gIjhS?|4gWU5%5lnlZdogP13X%P`]~5!');
define('NONCE_KEY',        'r2=LE]XfhsXqG+NL:v50`.`?/!Y8vPBhG)=P[B6,^78|PUW_$|+@0~riALu@6MQ:');
define('AUTH_SALT',        '-(RdXQIon(`@N}y|!`%%eMpN`$58Vq=-4!;iP8C_~-Ce{NG,_2yfbwrrt)>Vs>n_');
define('SECURE_AUTH_SALT', 'YvM?R%cuBRy}=a#W@DH+z$u^#vCVdpu^+5s-`,s;N4/NN<[ RSsDBGx[v+;$*DQ#');
define('LOGGED_IN_SALT',   ';.azo JkjmYUZPgv-0<#Zrc@i;<V[<;8m:TU`J$)~kD=F(|-VEl!pH=f8I]43n:9');
define('NONCE_SALT',       'i48y6,}zW3:Ex(|l[mjG&O;}Ts> |00oAKAMS-. 0s+j[9e_D[Or DFGT|_b0f5+');

Now save your wp-config.php and you're set to go.

You can change these periodically if you so choose and should definitely do so if you experience a security breach. The only drawback is that any logged in users will have to log back in as their cookies will become invalid.

What other security practices do you employ on your installation?