WordPress Security And The SECRET_KEY – Adding It To An Upgrade Installation
If you’ve looked in the wp-config.php file of WordPress from 2.5 on, you’ll see a little something extra:
define('SECRET_KEY', 'put your unique phrase here');
This secret key is used to make cookies more secure – and by extension, your blog.
It’s worth adding to add extra security at little effort, but it’s not automatic.
For example, if you use the install routine of WordPress, the latest version will create a random key for you. But if you do this by hand it won’t.
And if you upgrade your blogs like I do, then you just copy the old wp-config.php file over with the new WordPress files – which means it won’t be added then, either.
So the solution? Two options, actually:
- WordPress will generate a personal random key for you if you use this link (updated Aug29/09) – go to it, copy it down, and then edit your wp-config.php file to include it.
- Or, download my WordPress SECRET_KEY changer plugin here. Upload to your /wp-content/plugins/ directory and activate it. the plugin will try to add a random key to your wp-config.php file. If it succeeds, it will log you out (a direct result of the key change). And then when you log back in, it will deactivate itself, saving you a step!
The plugin was the result of my wanting to upgrade my older blogs to this new feature, but not wanting to fuss with editing all my wp-config.php files.
And while a plugin may be overkill for a one-time thing, you CAN rerun it to change the key from time to time. However, I don’t know how necessary that will be: as it stands, it generates keys that are roughly 10^43 – 10^70 random…
…or to write it out, there’s at a minimum about a 1 in 10,000,000,000,000,000,000,000,000,000,000,000,000,000,000 chance of guessing it!