Make WordPress Blog More Secure Using Secret Key

A new security feature has been added since WordPress 2.5 and all future versions (including WordPress 2.5.1 that just been released). The Secret Key is been added to wp-config.php file to enhance the security passwords used by WordPress blog, or more specifically the password hashing and cookie security.

If you check out the wp-config-sample.php comes with WordPress 2.5 or later, there is a new lines that indicates the new option added in WordPress 2.5

// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

The Secret Key, when definied in wp-config.php file, is used a s a ’seed’ to create and generate a hard-to-guess and individually unique random number when calculating hash value for WordPress to encrypt password, especially on cookie authentication. Comparing with when every blog has the same ’seed’ (no Secret Key), by using a different Secret Key which is different and unique for each blog, it reduces that possibility that hackers may crack the passwords, or almost impossible to crack.

Thus setting up a Secret Key is highly recommended to increase the security protection of the blog. To set up the Secret Key, simply modify the line (or add in the line if you’re upgrading to WordPress 2.5) in wp-config.php file:

define(’SECRET_KEY’, ‘put your unique phrase here’);

Change the ‘put your unique phrase here’ to a long, strong and random mixed character strings. Length is not restricted, but it’s recommended to put the phrase to be longer than 60 characters. The key is ‘random’, which means mixing around upper and lower case, special characters, punctuation marks, and numbers to a most complex string is the best. For not random string, it may be possible for an attacker to brute force the default WordPress SALT generation process to gain access to your blog.

If you’re not creative enough, WordPress has a random secret key auto generator that generates a completely random key for user. To use it, simply to to this URL:

http://api.wordpress.org/secret-key/1.0/

Then just copy and paste the entire line to replace the existing line in wp-config.php (or insert it into wp-config.php if you’re using pre-WordPress 2.5 wp-copnfig.php.

After adding in the secret-key, all login session will be invalidated, and every users will have to re-login again.

p/s: This article is taking from http://www.tipandtrick.net/

Posted May 22nd, 2008 by wm afendi under Blogs

 

Leave a Reply

AdSense

Recent Comments

Recent Posts

Categories

Archives

Blogroll

You can become a subscriber via a feed reader or by email.Thanks

Custom Search

Need Info @Takaful Products?

Please contact me at 019-383 1240 or email me at customer@wmafendi.com to make appointment for further discussion. I also online 24/7/365 on Yahoo Messenger. Just add my YM ID; unix_box. You also can send instant message to me by using contact form. Thank you so much!

Tags

Ads

Meta