It's like having Evelyn Salt guard your Blog! ... Almost...
[This post is part of the Ultimate Guide to Launching a WordPress-Powered Blog series.]
After installing WordPress initially there are more than a few things that you’ll want to do to increase the security of your blog installation and one of them is adding the 8 Secret (or Security and Salt) Keys into your wp-config.php file.
These 8 keys were introduced by WordPress to help better encrypt the information stored in the user’s cookies. Not sure what a “cookie” is? Here’s a good definition:
A cookie, also known as a web cookie, browser cookie, and HTTP cookie, is a piece of text stored on a user’s computer by their web browser.
A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data.
And yes, WordPress uses cookies so it’s better to upgrade their security settings, right? What does this mean practically and in layman’s terms? It means:
- Your blog is harder to hack.
- The access to your blog via scripts and malicious people is made much more difficult.
- The randomly-generated security key can take years to hack. Combined with a “salt” key, it’s very tough to beat!
Not sure what any of this actually means? That’s fine! You’re still going to want to do it, and it’s not too hard.
Here we go:
1. Generate Random Keys
This part is easy: Go to WordPress’ own online generator found here and copy this information into a text pad:
Got them? Great.
2. Paste Keys into wp-config.php
Using your favorite FTP application (here are my favorites) you’ll want to find your wp-config.php file located in the root of your WordPress installation:
Open the wp-config.php file and it should look something like this:
Now just copy and paste the keys that the online generator created for you into this file like so:
Then save your file and you’re done! You can now rest a little more easy knowing that you’ve made a significant improvement to the security of your WordPress blog!
Well done!
[This post is part of the Ultimate Guide to Launching a WordPress-Powered Blog series.]
Ah! Clever image for this post.
I wish there was an Evelyn Salt that would go around the world taking care of malicious hackers.
I can see it now:
“Dude, check out this new hack. I can get into wordpress and destroy posts. Uhahahahah!”
“What was that noise?”
“Dude, it was nothing. Now lets hack tentblogger.com”
(Suddenly – Window crashing. Bullets tearing into the monitor screen. Keyboard keys flying. Windows XP, Vista, 7 crashing. Screams of panic. Fingers being broken to hack no more.)
“Dude, run!!!”
“Too late man, its Evelyn Salt!!!”
hahahaha!
How do you know there’s not one already…..?
Was this included in Standard Theme? It was already in my wp-config.php file.
some of them are auto-created via wordpress if you don’t declare them.
This may be a simple question, but I’d rather ask first instead of just changing things and end up breaking something. (Been there. Done that.)
So if some of these are auto-created, should I just overwrite all of them with the ones created from the online generator or just add the ones that aren’t already there?
In other words, I already have 1-4. Do I copy over 1-8 or just 5-8?
Thanks
you can copy over if you’d like. no harm done. just make sure you have them!
thanks!
sure thing!
Great post John. Many people assume they are always hacked and they don’t know what happened but it’s a matter of securing your stuff. Would we leave the keys to our homes on the front porch?
Following directions like this can save a lot of problems down the road.
Another big security concern that was fixed n the latest WP update was the concern of XSS on a wp blog.
definitely!
Got it! Done. Thx.
Awesome tip, thanks!
sure jimmy!
So….if they were auto generated on install, is there value in getting a new randomly generated “salt key”? Or is it just as safe/secure to keep it as is?
i always replace mine out of habit.
Worked like a charm! Thank you for the easy walk through!
sure thing bro!
I know I’m late to the party, but what does this do?
Mind you, I’m doing it anyway. I’m just wondering how it’s securing stuff.
it essentially makes the cookie sessions that your blog creates harder to “guess” and thus hack.
John,
Dude. I love you, man. It’s posts like these that make me want to drive/fly/walk to Atlanta and buy you the biggest cup of coffee there is!
I’m having all sorts of MySQL issues with my ISP and I’m doing everything I can to stem the usage. We’re thinking it’s spam traffic. So between these new Salt keys, SI Captcha, and removing some funky plugins I had–oh yeah–and correctly installing/configuring W3 Total Cache, not only is my blog screaming fast now but I’m hoping the MySQL issues go away.
May God continue to watch over you, your family, and prosper your business!
Joe.
joe,
thanks so much bro! i really do appreciate it. and yes, i’ll take that cup of coffee…!
Hello john,
i think the new wordpress got this covered…just an info
chers,
indra
Thank Jhon for the excellent post.
Is it advisable to regenerate and replace the salt keys? If yes, how often? Is the process of regenerating the salt keys and adding them to wp-config.php fairly simple?
Hey John! I’m going step by step through the whole deal here. My wp-config.php only has one line of code. Have things changed considerably since you wrote this? I’m on Dreamhost and did the quick install, then ran through the prior post on setting up for security.