Cookie Security in WordPress 2.5

To make cookies secure against attacks where someone has managed to get into your database through an SQL injection exploit or other means, WordPress 2.5 introduced a user-definable constant called SECRET_KEY. If you look at the sample wp-config.php shipped with 2.5, you’ll see these lines.

// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(‘SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase

If you upgraded from a previous version of WordPress you probably won’t have these lines in your wp-config.php. Regardless, defining SECRET_KEY and giving it a unique phrase will give your cookies some added security. To make adding a secret key easier, we’ve created a web page that will create the full statement needed to define SECRET_KEY complete with a strong, randomly-generated phrase. Go to api.wordpress.org/secret-key/1.0/ for a line you can cut-and-paste into your wp-config.php file. Here’s some sample output:

define('SECRET_KEY', 'C~1Vr5|!meuT$j`Y.:i&*Cd=O^N0XWD_HzHruzl-?R%LPzlzQ( q^KSW[dmcK;vw');

Cut-and-paste that entire line into your wp-config.php. You can put it after the define statements for the database settings. If you already have SECRET_KEY defined in your wp-config.php, delete the existing line and add the new line. After you add your SECRET_KEY, all users on your blog that are logged in will be logged out. They’ll have to log back in to get a new cookie. If you ever need to force all users to log out, changing SECRET_KEY is an easy way to do so. Don’t worry that changing SECRET_KEY will affect passwords; it affects only login cookies. And don’t worry about having to remember that long random phrase. WordPress will never ask you to input that phrase. It’s just there to act a piece of randomness, frozen in time, for use in creating more secure login cookies for your blog.

Update: As mentioned in the comments, don’t directly copy the example I have above.  Visit api.wordpress.org/secret-key/1.0/ to get your own secret key.  Get a different secret for each of your blogs.

When you add the SECRET_KEY line, add it after the ‘<?php’ tag on the first line.  It has to be between the first line and the last line of wp-config.php, in between the ‘<?php’ and ‘?>’ tags.  In a future version of WP, we’ll try to do this for you automatically if your server config allows WP to write to your wp-config.php file.  That way you won’t have to edit any PHP files.

51 thoughts on “Cookie Security in WordPress 2.5

  1. OK, I tried this. Went to api.wordpress.org/secret-key/1.0/
    copied the whole line generated and pasted it into my wp-config.php file.
    After that my Dashboard and Blog were both prefixed by a horizontal line with that line of text and secret key.
    So I reversed the procedure and now I’m back where I started feeling a whole lot safer than those few seconds when I was protected.

    Like

  2. Plus, this simple action appears to have broken my blog. Since that aborted operation referred to above, whenever I go to ‘post’ anything or ‘edit’ a draft or change a link, and then hit the ‘save’ button I am returned to a blank screen.
    From there I have to manually edit the address bar on my browser to go back to wp-admin.
    Any ideas about fixing this would be appreciated.

    Like

  3. Do you know if there are any other changes made in WordPress 2.5 that may not have been implemented for sites that upgraded from previous versions?

    Like

  4. Bob, that should be the only thing. The upgrade handles bringing everything in the database up-to-date, but we don’t always have permissions to write to wp-config.php to update things in there.

    Like

  5. John Baker, it sounds like you may have put the line at the end of the file, then when you removed it, you left some blank space at the end. Web servers are very sensitive to blank lines in the early stages of generating a page, because a blank line indicates the separation between page information and page content.

    Make sure there’s nothing, including spaces or blank lines, or even a line break, at the end of the file after the ?> code.

    Like

  6. Thanks for the tip about the blank spaces at the end of my file, Kelson. That fixed the erratic behaviour of the blog.
    But doesn’t explain why the secret key showed up at the top of my blog and my dashboard.

    Like

  7. If I put the line below “require_once(ABSPATH.’wp-settings.php’);” then when I try to view my dashboard I get the error message “You do not have sufficient permissions to access this page.”

    Just for your info.

    Like

  8. Thanks for pointing this extra update out – it worked a treat.

    John – did you make sure to add the full line after ” if it was outside these two tags it would certainly be displayed at the top of all your pages.

    Hopefully you’ve got it working by now?

    Like

  9. nice! i love when there are new security improvments to wordpress.

    If you still paranoid about security, copy the line in the generator and add some other characters of you choice, it will be stronger

    Like

  10. Hey all, I just upgrade to 2.5.1 from a fresh 2.5 install. My front-end of the site displays properly, but when I eith try to login form the front-end or access the wp-admin section, it displays a black page.

    I can not update my blog at this point. Hase anyone experienced this, or have any suggestions as to what could be causing it?

    George

    Like

  11. I suspect those that might be having a problem are putting the generated code into the incorrect place in the config file.

    Might I suggest you go to the ; in the following line in your config file, paste the line from the generator up to and including the semicolon after this line and then save the file.

    define(‘DB_COLLATE’, ”);

    Remember there should only be 1 define(‘Security_Key…
    line in your config… If you installed WP after this was included you may need to delete the one that is already in the config file.

    Like

  12. Thanks for the response Biil,

    I actually tracked it down to being the WP-SpamFree plugin I left active and installed. I finally had to delete all plugins within the plugin directory including the one I created to narrow it down.

    Seems like the WP-SpamFree was the only one impacting as without it, everything works okay now. I really thaought it may be the WP-SuperCache, but it seems to be working okay with it active.

    Folks when they say disable all plugins, they mean it!

    George

    Like

  13. The generator produced this for me:
    define(‘SECRET_KEY’, ‘r KGUia,x04j\’=+IHR(l>;58,*KvJ~+`Ln;03&Zs1m+hy~?bG{es73)n4@]p_9?i’);

    Surely the ‘ character it generated in the middle of the string is going to stuff something up badly (premature string end) if I use that key.

    Like

  14. So like maybe give those of us who never made the level of nerd in school a small break and maybe produce an online schematic highlighting where precisely we are supposed to paste our new secret key?

    // Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
    // so make it long and complicated. You can visit http://api.wordpress.org/secret-key/1.0/
    // to get a secret key generated for you, or just make something up.
    define(‘SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

    Thanks.

    Like

  15. Hullo there, I was just wondering if you could tell me if the photo uploading/posting issue with 2.5 and IE has been fixed or is even close to being fixed? My website is half articles and half erotic photography and I am heavily dependent on the ability to be able to post photos without having to try to sneak them onto somewhere puritanical like PhotoBucket. This new “upgrade” has been horrifying thus far, including replacing all of my ASCII symbols with garble — and I have almost 500 posts!!! I am not a web host or developer, so technical instructions do not help me … but please, for the love of all that is creative can you fix the photo posting issue? PLEEEEEEEEEEEEEASE… [yes, I am begging at this point]

    Like

  16. This article provides information on an important update, but unfortunately the way the information is presented is actually counterproductive.

    Currently, in the example given in this article, it is difficult to see where the random bunch of characters ends and where necessary code begins. Also, leaving that random code there is reckless and will encourage users to simply copy your code, which will create a security vulnerability as mentioned in Comment #3.

    Like

  17. I am trying to post a better step-by-step HOWTO on this, but your website throws:

    The precondition on the request for the URL /weblog/wp-comments-post.php evaluated to false.

    when I click ‘submit comment.’

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.