Add WordPress SECRET_KEY for Secure Cookies
April 26th, 2008WordPress 2.5 has incorporated a cool feature for better cookie security. You can add a SECRET_KEY to the wordpress wp-config.php file and make cookies secure against attacks where someone has hacked into your database via an SQL injection exploit etc.
Check the latest sample wp-config-sample.php file and you will see this new line
// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit http://api.wordpress.org/secret-key/1.0/
// to get a secret key generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
Visit api.wordpress.org/secret-key/1.0/ which will auto-generate a unique secret key everytime. Simply cut and paste and add it to your wp-config.php file. Get a different secret for each of your blogs. Here is how the key looks like.
define(’SECRET_KEY’, ‘:qk94Q]1EB!{`&]%fWhU\”@n`\’]4S4,+ogX%) NCcri:,,%h5(,H-g%}1*>-HXX,8B’);
Ryan elaborates that don’t memorize this long code as you just need to paste and forget it. They will not ask for it again. If you ever need to force all users to log out, simply change the SECRET_KEY. Note that changing SECRET_KEY will affect only login cookies.
I have been upgrading Wordpress since WP 1.5 days, and in my wp-config.php, it was missing. I simply generated a SECRET_KEY and added it to my wp-config.php file. Hooray for better blog security. Hooray for Wordpress 2.5.1
Subscribe RSS feed
Thanks for this. I never realized the importance of this.
Good security tips as of now i am not using wp 2.5
I got tired of editing my files, so I wrote a plugin to do it for me on pre-2.5 blogs – it’s free to download:
http://ActiveBlogging.com/info/how-to-change-wordpress-secret_key-plugin/