To make cookies secure against attacks where someone has managed to get into your database through an SQL injection exploit or other means, WordPress 2.5 introduced a user-definable constant called SECRET_KEY. If you look at the sample wp-config.php shipped with 2.5, you’ll see these lines.
// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(‘SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase
If you upgraded from a previous version of WordPress you probably won’t have these lines in your wp-config.php. Regardless, defining SECRET_KEY and giving it a unique phrase will give your cookies some added security. To make adding a secret key easier, we’ve created a web page that will create the full statement needed to define SECRET_KEY complete with a strong, randomly-generated phrase. Go to api.wordpress.org/secret-key/1.0/ for a line you can cut-and-paste into your wp-config.php file. Here’s some sample output:
define('SECRET_KEY', 'C~1Vr5|!meuT$j`Y.:i&*Cd=O^N0XWD_HzHruzl-?R%LPzlzQ( q^KSW[dmcK;vw');
Cut-and-paste that entire line into your wp-config.php. You can put it after the define statements for the database settings. If you already have SECRET_KEY defined in your wp-config.php, delete the existing line and add the new line. After you add your SECRET_KEY, all users on your blog that are logged in will be logged out. They’ll have to log back in to get a new cookie. If you ever need to force all users to log out, changing SECRET_KEY is an easy way to do so. Don’t worry that changing SECRET_KEY will affect passwords; it affects only login cookies. And don’t worry about having to remember that long random phrase. WordPress will never ask you to input that phrase. It’s just there to act a piece of randomness, frozen in time, for use in creating more secure login cookies for your blog.
Update: As mentioned in the comments, don’t directly copy the example I have above. Visit api.wordpress.org/secret-key/1.0/ to get your own secret key. Get a different secret for each of your blogs.
When you add the SECRET_KEY line, add it after the ‘<?php’ tag on the first line. It has to be between the first line and the last line of wp-config.php, in between the ‘<?php’ and ‘?>’ tags. In a future version of WP, we’ll try to do this for you automatically if your server config allows WP to write to your wp-config.php file. That way you won’t have to edit any PHP files.