In December of 2017, Wordfence reported that 1.4 billion sets of WordPress login credentials were stolen, and a massive campaign of brute force attacks occurred shortly thereafter. With usernames and matching passwords made so readily available, it’s no surprise that hackers jumped at the chance to launch attack after attack--at its peak, 14.1 million attacks an hour--against WordPress users.
Of course, that’s when WordPress admins go into defensive mode and require all users to reset and change their passwords. But is that enough? Does strict password enforcement even matter if hackers are able to uncover that information from a cracked database? What about two-factor authentication? Does that even help?
Any good WordPress security blog with tell you to do all those things when managing user passwords in the CMS because they do make brute force attacks more difficult to execute. One thing they may not mention, however, is that you should immediately turn your attention to WordPress security keys--and this pertains both to the initial implementation of security protocols on your site as well as in the wake of news about a major security breach.
The following guide will cover everything you need to know about WordPress security keys, generating new salts for your site, and how to configure them all in just a few easy steps.
Everything You Need to Know About WordPress Security Keys
There’s only so much you can do to guide your WordPress users toward safe password practices. You require strong passwords and implement two-factor authentication. You even remind them to change their passwords after 90 days. But leaving the configuration and safeguarding of login credentials in the hands of your users just isn’t sufficient enough.
This is why WordPress developed a set of WordPress security keys (also known as secret keys).
In order to understand how these work and why they’re deserving of your attention, we have to first take a look at how WordPress user sessions work.
WordPress User Sessions and Cookies
When a new WordPress user logs in (this applies to backend users as well as commenters), a cookie stores information about their session.
Back in Version 2.4, WordPress established cookies to store two pieces of information: the username and a double-hashed version of the password your users created.
In so doing, your users’ information is encrypted while also being stored for future use to streamline the login process. Starting in Version 3.0, WordPress created two different cookies: one for the login screen (wordpress_[hash]) and one for the admin dashboard (wordpress_logged_in[hash]).
As the Codex explains:
WordPress uses the two cookies to bypass the password entry portion of wp-login.php. If WordPress recognizes that you have valid, non-expired cookies, you go directly to the WordPress Administration interface. If you don't have the cookies, or they're expired, or in some other way invalid (like you edited them manually for some reason), WordPress will require you to log in again, in order to obtain new cookies.
This information is stored in your WordPress database.
WordPress Security Keys and Salts
The hashing of users’ passwords is how WordPress encrypts/encodes the user session data. This is done using an algorithm called MD5. Basically, it takes the usernames and passwords your users created, then hides it behind a long and unintelligible string of numbers and letters, which makes it difficult to decode. This is what’s known as a WordPress security key.
As the Codex notes:
In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like ‘password’ or ‘test’ is simple and easily broken. A random, long password which uses no dictionary words, such as ‘88a7da62429ba6ad3cb3c76a09641fc’ would take a brute force attacker millions of hours to crack. A salt is used to further enhance the security of the generated result.
WordPress security keys and salts are stored inside the wp-config.php file. That’s why the use of security keys are critical to keeping WordPress safe from brute force attacks.
Essentially, they force hackers to retrieve cookie session data from the database and then figure out how to decode it with the WordPress security keys from the wp-config.php file (if they can find it). 🔒 By combining a #WordPress security key with a salt (another string of characters), your passwords become nearly uncrackable. Click To Tweet
As of 2019, WordPress now automatically stores four authentication (security) keys and four hashing salts in the wp.config file.
The default code for these looks like this:
define(‘AUTH_KEY’, ‘long string of text’);
define(‘SECURE_AUTH_KEY’, ‘long string of text’);
define(‘LOGGED_IN_KEY’, ‘long string of text’);
define(‘NONCE_KEY’, ‘long string of text’);
define(‘AUTH_SALT’, ‘long string of text’);
define(‘SECURE_AUTH_SALT’, ‘long string of text’);
define(‘LOGGED_IN_SALT’, ‘long string of text’);
define(‘NONCE_SALT’, ‘long string of text’);
This is WordPress’s way of providing enhanced security for user sessions and data. That said, it is highly advisable that you don’t leave the default code in the wp-config file. In this next section, we’ll talk about how you can go about generating your own WordPress security keys and salts.
Free Security Checklist
The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website
How to Configure Security Keys with a Salt Key Generator
You have two options for creating or updating WordPress security keys. The first is the manual option, which requires you to be comfortable editing the wp-config.php file. Or, if you’d prefer, you can use a WordPress plugin to do it for you.
The Manual Method of Configuring WordPress Security Keys
Manually configuring WordPress security keys isn’t difficult. You simply need to be comfortable editing code if you want to go down this path.
The first thing you need to do when manually configuring security keys is to open the WordPress’s Salt Key Generator tool.
As you can see, it’s the same code I wrote out above, except it’s been populated with unique WordPress security keys and salts. (Obviously, you’re not going to want to use the code from my example above.) To get a fresh list of keys, refresh your browser screen.
Copy your new keys. Do not save them anywhere on your machine.
Log out of your WordPress session. If you can, advise your other WordPress users to do the same. The update of security keys won’t harm the work they’re doing, but it will immediately destroy the cookies from their session and force them to login again.
Create a backup of the website. This should be an easy copy-and-paste job, but you want your site to be protected in case something does go wrong in the process.
Log into your control panel file manager or FTP. Then locate the wp-config.php file in the root directory.
Create a copy of the file. Open the file to edit it.
Search for a section called “Authentication Unique Keys and Salts.”
You will see that WordPress has already populated this section with custom secret keys and salts. Go ahead and paste the new ones from WordPress’s Salt Key Generator.
Save your changes and exit out of the file.
The next time you and your users attempt to log into WordPress, you will be prompted to enter your login credentials again. Nothing will need to change, it’s just that the new WordPress security keys and salts will require you to begin a new session.
Using a Plugin to Configure WordPress Security Keys
If you’d rather not mess around with the wp-config file, that’s fine. There are a few different plugins that will automate the process of changing WordPress security keys on your behalf.
Specifically, there are three WordPress plugins that will get the job done right:
Think of all those tasks you’ve always wanted to update in WordPress, but were too afraid to edit the wp-config.php file to do. Well, this plugin hooks into the file and helps even the most novice of WordPress users do it. That, of course, includes updating your security keys.
Finally, there is the premium iThemes Security (Pro) plugin. iThemes is included in a number of WP Buffs’ plans, which is the very reason why you should make this your #1 method for implementing and updating security keys and salts.
Tips for Configuring WordPress Security Keys and Salts
It’s such a simple thing, isn’t it? Hardening the WordPress login to fend off brute force attacks. But there are ways you can more effectively use what you know now about WordPress security keys and salts.
Here are some things to keep in mind:
- Immediately after launching a new WordPress site, change the WordPress security keys and salts.
- If there is any inclination that your site has been attacked, update your security keys in addition to forcing all users to change their passwords.
- You might also want to update them after a WordPress user has been dismissed from your team or access has been revoked from the site. This will ensure that their latest cookies and session are destroyed.
- Never generate your own keys. Use the salt key generator from WordPress or automate the process with a plugin. It’s much easier and safer that way.
- Whether you choose to update them manually or use a plugin, create a schedule by which your keys will change frequently. Although security keys are the reason why the login becomes so difficult to hack, it’s even more effective to keep them regularly updated.
Remember: WordPress security keys and salts don’t actually do anything to your users’ login information except hide it behind a hashed string. So, changing your security keys isn’t that big of a deal for your users. The only way it will affect them is by forcing them to re-enter their login credentials again (which is never a bad thing).
At the end of the day, you’re doing all of this in order to prevent your WordPress site from being hacked. If you’re intimidated by all of the work required, but know that you need to get serious about fending off attacks, then it may be time for you to talk to WP Buffs about security (and site speed while you're at it).
As I already mentioned, WP Buffs partners with iThemes Security Pro, which means that enhanced encryption of your user session data is a guarantee. It also means that many of the other security-related tasks you’re stressed about will be handled by a team of WordPress security experts.
Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.
Brenda Barron is the blog editor for the WP Buffs WordPress blog and a freelance writer from southern California. When not working, she’s spending time with her family, homeschooling her kids, knitting, and getting outdoors. Find out more about her at Digital Inkwell. If you want some freebies, check out our free speed and security ebooks, webinars for WordPress professionals, WordPress blog or WordPress podcast all about building monthly recurring revenue.