Security September Series
- Why Is WordPress Website Security Important?
- WordPress Admin Area Security Best Practices
- 5 Best WordPress Security Plugins and Solutions
- All You Need to Know About WordPress Security Keys and Salts
- Scanning Your WordPress Websites for Security Vulnerabilities
- Securing WordPress Websites Against Brute Force Attacks
- How to Secure and Optimize WordPress Database?
- Is Removing the Fact Fact That You Use WordPress Helpful?
- WordPress Hosting Related Security Measures
- The Complete Beginner’s Guide to Fix Hacked WordPress Websites
- Addressing the WordPress Is Not Secure by Default Argument
- WordPress Backup Plugins to the Rescue of Hacked Websites
- Detecting and Removing Backdoors From a Hacked WP Website
- What to Expect from a WordPress Security Solution/Provider
- Is the Free SSL Certificate from Let’s Encrypt Safe?
Protecting sites against brute force attacks is the fundamental step of WordPress security. In the previous article, you learned about ways to prevent hackers from brute forcing the login page. WordPress security keys and salts offer yet another solution to improve and harden your site security.
WordPress keys and salts were first introduced in version 2.6. These play a significant role in securing site cookies and stop hackers from accessing your site. Today, I am going to discuss Security Keys, and we will take a look at what they are, how they work, and how you can use them?
What Are Security Keys?
Security keys and hashing salts are authentication variables that enhance the security of your login credentials. They add an extra security layer to your username and password information stored in the user’s cookies. Currently, there are four security keys i.e. AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY. With each key, corresponding salts are also present i.e. AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT. You can add them in the wp-config.php file.
Here is a screenshot of this file from one of my demo websites. You can find them listed right after the database credentials.
If the WordPress security keys are not configured, they appear like this by default.
There exists a WordPress.org secret-key service. You can generate secret keys through it and then copy-paste them to your wp-config.php file. The four salt keys are recommended but are not required. This means if they are not added, WordPress will generate itself. I recommend generating the salt keys and modifying each of them a little bit if you’d like.
Reviewing WordPress Keys and Salts
- wordpress_[hash]: It is used on the admin pages only.
- wordpress_logged_in_[hash]: It is used throughout WordPress to know whether you are logged in or not.
The authentication details are hashed using a set of random values which are specified in the WordPress security keys. You can call them as additional encryption that is long, random and complicated.
An easy-to-guess password like “12345” or “admin” can be easily hacked, but an encrypted and random password like “rthvhh567896gb3bkkuug##ggb!!jjjl&77n” can take years to be cracked. So, using WordPress security keys makes it nearly impossible for anyone to reverse the hash and access your information.
Hardening WordPress Security With Keys
By now, you know the complexity and randomness of security keys. To make your site harder to access, just ensure that these keys are long and difficult to crack. There is no need to learn or create them manually. Simply use the online generator which I have mentioned above.
Updating security keys and salts regularly is an intuitive way of hardening your WordPress site. Your current keys are already difficult to break; so changing them adds another layer of complexity. Imagine a hacker guessing the keys with a great struggle and finds out the keys were again changed.
Updating security keys automatically perform a forced log out of every user who is accessing your website. Now, they will have to log in once again hence, proving their identity and updating the cookies. So, if you find any brute force attack symptoms, you can change your authentication salt keys for reauthentication of all user logins.
Changing Your WordPress Keys and Salts
In self-hosted WordPress blogs no pre-defined security keys exist. Instead, you have to generate and add them yourself. Follow these tiny miny steps to complete the process. It is a very straightforward and easy.
- Create your own unique secret key via the online key generator.
- Go to the root folder of your site and open up the wp-config.php file.
- Look for the section of WordPress keys and salts. Usually, it is below the database credentials.
- Copy the entire code block which you have created from the online generator.
- Paste the new keys to overwrite the existing set lines of code.
- Save the wp-config.php file.
The same process is achieved in a few clicks with third party plugins and iThemes Security tops the list. Last year, they introduced the functionality to update WordPress security keys and salts. All those who use the most recent version of the plugin will have access to this feature.
You must use iThemes Security for this very purpose because it updates your keys effortlessly.
After every 30 days, the plugin sends an automated reminder about updating your keys and salts. While doing it manually, you have to handle it yourself by keeping a record of it. Also, you can change the keys directly from the dashboard. So, you can easily skip the manual steps.
Updating your keys and salts with iThemes Security will also force all logged in users to log in again. I feel great peace with this plugin as their dashboard reminder never let me forget the update process.
WordPress security keys act as a strong shield against brute forced and other guesswork hacking attacks. Adding the keys would remove your doubts about cookies being stolen. You should update them regularly to invalidate the attacker’s cookies who tries to hack your site.
Finally, let’s recap the entire article with these quick pointers.
- There is no need to remember the keys values. Just configure them once and relax.
- All users will need to log in again if you change the WordPress security keys.
- Never publish the keys values online or share it with anyone.
- WordPress security keys can be changed anytime.
- The wp-config.php file is not modified while updating the latest WordPress version. Currently, you can define seven Unique Keys and Salts for authentication.
What are your views about security keys? Have you ever changed their values? Share your feedback with us!
Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.