Why and How to Set Authentication keys in WordPress
While we go through the points to harden your wordpress website setting the authentication keys are always come in picture. Generally we search over the internet for solution and somewhere we get sample keys to set and we set the keys accordingly. We are done with our work and moves on to next security or hardening approach.
But being a good developer or aware user few questions always remains in our mind like:
- How we verify the keys we put are correct.
- What the keys do actually.
- What we need to do after just changing them in config file.
First of all, we need to know what are the keys. As we know that wordpress is not using sessions. IN place of session wordpress uses cookies to manage login. This means that state information related to login is stored in cookies. It is important to know that these cookies built up with the username, password and authentication keys. Calculating hash of these three will prepare the cookie which wordpress uses for login. So, these keys plays important role in security mechanism.
To set up the authentication keys, just open the wp-config.php file and you will find a code like this :
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
Here we need to put unique phrases, so that it will make our cookies much stronger which plays an important role at the time of login. To get stronger phrases just to the this authorized wordpress link: https://api.wordpress.org/secret-key/1.1/salt
Just copy and paste these keys in same format to our wp-config.php file. To get more fresh keys just refresh this link( https://api.wordpress.org/secret-key/1.1/salt ) again, you will get fresh keys on every refresh. Below is example key set:
define('AUTH_KEY', 'DsK.PpLx+mVwL,3>nO*Hh@s^$#p`ZPHTcVDW4!3ZA%taqbC[GXM.l6A{|@^+Tl*?'); define('SECURE_AUTH_KEY', '^Fj(et7+)V-I0Xu&j7<%ZO P[I OZK{I|1B6$:9R+X4-x!b=D?%,euED<1I7+upq'); define('LOGGED_IN_KEY', 'ETq+A$6;c=(LDUw;!k|f?.@MG8E[:PxH^H-u|c0^q({iSO-9N^~mn}s{Pz xK/CY'); define('NONCE_KEY', 't9;caYly}-*5T4-LiX>pyCke8V23tJX93=gF-!uw.(=8vMeuK*1Ul.S.M*P~F&P/'); define('AUTH_SALT', '&jdN;ID+jB+A)Th%0:`,xRpu-i6$`>|#+lO%GO$kQr-zfh3iQS0Q;^?1s4P%vk7A'); define('SECURE_AUTH_SALT', 't`z-0`>szG&hZ)x^BP;<,Uwox?j,O %ui!I,IHN9tHqNK-$}^N|`V&M%|y/=Dbx?'); define('LOGGED_IN_SALT', 'hGC&Cvp KM1?t&&5+IXe=WhuiJ^nC4p(P^`fJZ A S=nw~-v-/ #zq-?&Po}V/4O'); define('NONCE_SALT', '3+MM ]; >ES8mjlY:~REtsr.WhPbo)D-cSf8rlB/ivF6+T+YAf_hNw46;KBWmINT');
Those who have hosted their website on azure cloud, these keys will not work. They need some modification on these keys as azure does not support this format.
How we verify the keys we put are correct
No need to verify the keys as they are random, just generate them using this link: https://api.wordpress.org/secret-key/1.1/salt and use them.
What the keys do actually:
Yes, this is important to know working and requirement of authentication keys. First of all you must know that if you will not change the keys then wordpress will use its keys which generated at the time of installation.
Normally wordpress generated these keys at the time of installation and save their value to wp-option table in its database. So, normally WordPress uses the keys from its database but if you define them in wp-config.php file then wordpress prefer to use them from this file.
We know that cookies are created with the use of password hash and authentication keys. And both the values are in database, so in a case if a hacker is able to access your database then it can easily get the complete information. But if you set these authentication keys in wp-config.php file then the keys placed in database are of no use and you are comparatively safe.
What we need to do after just changing them in config file:
Is is better to change the keys at a regular interval. Changing the keys will hardly take 5 minutes. You must change them as you feel some uneven activity in your website otherwise change them in months as per your choice.
Assume a situation where you login your website in somebody else computer and forgot to logout from there. Don”t worry just go to your wp-config.php file and change the authentication keys as explained above. After changing keys all cookies will be invalidated.All existing login sessions will be discarded, and the users will need to login again.
Note: These keys will not work for you if your website is on Azure server, you need some amendments in keys generated by this method. Please go through this article to know what type of amendments required and how to proceed for azure hosted websites: How to set keys in WordPress config for azure
So, always change the authorization keys, because they plays an important role to make your website secure. 🙂
Leave a Reply