Ryan Boren

Queer, neurodivergent, and disabled technologist turned wannabe-sociologist resisting neuronormative domination.

Cookie Security in WordPress 2.5

To make cookies secure against attacks where someone has managed to get into your database through an SQL injection exploit or other means, WordPress 2.5 introduced a user-definable constant called SECRET_KEY. If you look at the sample wp-config.php shipped with 2.5, you’ll see these lines.

// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(‘SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase

If you upgraded from a previous version of WordPress you probably won’t have these lines in your wp-config.php. Regardless, defining SECRET_KEY and giving it a unique phrase will give your cookies some added security. To make adding a secret key easier, we’ve created a web page that will create the full statement needed to define SECRET_KEY complete with a strong, randomly-generated phrase. Go to api.wordpress.org/secret-key/1.0/ for a line you can cut-and-paste into your wp-config.php file. Here’s some sample output:

define('SECRET_KEY', 'C~1Vr5|!meuT$j`Y.:i&*Cd=O^N0XWD_HzHruzl-?R%LPzlzQ( q^KSW[dmcK;vw');

Cut-and-paste that entire line into your wp-config.php. You can put it after the define statements for the database settings. If you already have SECRET_KEY defined in your wp-config.php, delete the existing line and add the new line. After you add your SECRET_KEY, all users on your blog that are logged in will be logged out. They’ll have to log back in to get a new cookie. If you ever need to force all users to log out, changing SECRET_KEY is an easy way to do so. Don’t worry that changing SECRET_KEY will affect passwords; it affects only login cookies. And don’t worry about having to remember that long random phrase. WordPress will never ask you to input that phrase. It’s just there to act a piece of randomness, frozen in time, for use in creating more secure login cookies for your blog.

Update: As mentioned in the comments, don’t directly copy the example I have above.  Visit api.wordpress.org/secret-key/1.0/ to get your own secret key.  Get a different secret for each of your blogs.

When you add the SECRET_KEY line, add it after the ‘<?php’ tag on the first line.  It has to be between the first line and the last line of wp-config.php, in between the ‘<?php’ and ‘?>’ tags.  In a future version of WP, we’ll try to do this for you automatically if your server config allows WP to write to your wp-config.php file.  That way you won’t have to edit any PHP files.

More Posts

Posts on Stimpunks

51 responses to “Cookie Security in WordPress 2.5”

  1. John Baker Avatar
    John Baker

    OK, I tried this. Went to api.wordpress.org/secret-key/1.0/
    copied the whole line generated and pasted it into my wp-config.php file.
    After that my Dashboard and Blog were both prefixed by a horizontal line with that line of text and secret key.
    So I reversed the procedure and now I’m back where I started feeling a whole lot safer than those few seconds when I was protected.

    Reply
  2. Añade un grado más de seguridad a tu Wordpress 2.5 | aNieto2K

    […] para identificarnos como usuario logueado sean más complejas y por consecuente más seguras. Su implementación es realmente sencilla, así que no está de más hacerlo y asegurarnos un poco […]

    Reply
  3. Mark Jaquith Avatar
    Mark Jaquith

    Public service announcement: do not use the sample output listed above! The point here is for your key to be random and unique. Use the generator, and use a different one for each of your WordPress 2.5+ installs!

    Reply
  4. John Baker Avatar
    John Baker

    Plus, this simple action appears to have broken my blog. Since that aborted operation referred to above, whenever I go to ‘post’ anything or ‘edit’ a draft or change a link, and then hit the ‘save’ button I am returned to a blank screen.
    From there I have to manually edit the address bar on my browser to go back to wp-admin.
    Any ideas about fixing this would be appreciated.

    Reply
  5. John Baker Avatar
    John Baker

    I did not use the ‘sample output’ listed above. I used the generator as suggested.

    Reply
  6. AsceticMonk Avatar
    AsceticMonk

    Good to know! Thanks! I am going to do it on my WP installation.

    Reply
  7. 2718.us blog – The SECRET_KEY in WordPress

    […] of actually reading the various blogs to which there are links on my WordPress dashboard and I saw this today from boren.nu: To make cookies secure against attacks where someone has managed to get into your database through […]

    Reply
  8. Bob Avatar
    Bob

    Do you know if there are any other changes made in WordPress 2.5 that may not have been implemented for sites that upgraded from previous versions?

    Reply
  9. Ryan Avatar
    Ryan

    Bob, that should be the only thing. The upgrade handles bringing everything in the database up-to-date, but we don’t always have permissions to write to wp-config.php to update things in there.

    Reply
  10. DrYang MedBlog : Stress your weaknesses, not strengths! » Blog Archive » » Cookie Security in WordPress 2.5 boren.nu

    […] » Cookie Security in Word […]

    Reply
  11. Kelson Avatar
    Kelson

    John Baker, it sounds like you may have put the line at the end of the file, then when you removed it, you left some blank space at the end. Web servers are very sensitive to blank lines in the early stages of generating a page, because a blank line indicates the separation between page information and page content.

    Make sure there’s nothing, including spaces or blank lines, or even a line break, at the end of the file after the ?> code.

    Reply
  12. Richard Avatar
    Richard

    It sounds interesting. I will try this later.

    John, have you solved your problem?

    Reply
  13. Links: Freedom and Security | K-Squared Ramblings

    […] Cookie Security in WordPress 2.5. The latest version of the blogging software has a feature that can make it harder for attackers to grab your login sessions. It involves setting a pass phrase in wp-config.php, one which you’ll never have to remember, but which will be unique to your site. You have to copy the SECRET_KEY section from wp-config-sample.php and add in your passphrase…or you can generate a random code at http://api.wordpress.org/secret-key/1.0/ (be sure to put it in the middle of the file!) […]

    Reply
  14. rodel Avatar
    rodel

    works just fine for my site.. i just hope it won’t affect on others stuffs in the near future..

    tnx..

    Reply
  15. Brajeshwar Avatar
    Brajeshwar

    You don’t really have to go to that API URL to get your code, you can either generate one yourself using your favorite Password Keeper (I use KeepassX) or use the Password generator at https://www.grc.com/passwords.htm
    and use it. I did wrote an article on this early this month.

    http://brajeshwar.net/wordpress-25-secret-key/

    Reply
  16. Noticias de Bitacoras.com » Añade más seguridad a WordPress 2.5

    […] para identificarnos como usuario logueado sean más complejas y por consecuente más seguras. Su implementación es realmente sencilla, así que no está de más hacerlo y asegurarnos un poco […]

    Reply
  17. John Baker Avatar
    John Baker

    Thanks for the tip about the blank spaces at the end of my file, Kelson. That fixed the erratic behaviour of the blog.
    But doesn’t explain why the secret key showed up at the top of my blog and my dashboard.

    Reply
  18. Pete Avatar
    Pete

    If I put the line below “require_once(ABSPATH.’wp-settings.php’);” then when I try to view my dashboard I get the error message “You do not have sufficient permissions to access this page.”

    Just for your info.

    Reply
  19. Esa Rantanen Avatar
    Esa Rantanen

    Is it any use adding SECRET_KEY AFTER installing WP2.5?

    Reply
  20. 让wordpress2.5的小甜饼干更安全 – 冰古blog

    […] 阅读:Cookie Security in WordPress 2.5 Tags: cookie, security You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. […]

    Reply
  21. Ben Palmer Avatar
    Ben Palmer

    Thanks for pointing this extra update out – it worked a treat.

    John – did you make sure to add the full line after ” if it was outside these two tags it would certainly be displayed at the top of all your pages.

    Hopefully you’ve got it working by now?

    Reply
  22. Añadir mas seguridad a Wordpress 2.5 – TheDaVis Blog

    […] para identificarnos como usuario identificado sean más complejas y por consecuente más seguras. Su implementación es realmente sencilla, así que no está de más hacerlo y asegurarnos un poco […]

    Reply
  23. Cómo hacer tu blog un poco más seguro » blogpocket 7.0

    […] Nieto nos sugiere activar la opción SECRET_KEY del fichero wp-config.php. Una medida de seguridad relacionada con las cookies. Se puede utilizar una secret-key generada aleatoriamente por WP copiándola al archivo […]

    Reply
  24. jardel Avatar
    jardel

    nice! i love when there are new security improvments to wordpress.

    If you still paranoid about security, copy the line in the generator and add some other characters of you choice, it will be stronger

    Reply
  25. George Jones Avatar
    George Jones

    Hey all, I just upgrade to 2.5.1 from a fresh 2.5 install. My front-end of the site displays properly, but when I eith try to login form the front-end or access the wp-admin section, it displays a black page.

    I can not update my blog at this point. Hase anyone experienced this, or have any suggestions as to what could be causing it?

    George

    Reply
  26. George Jones Avatar
    George Jones

    In my last comment, I meant to share that it is a blank admin page, not a “black one” in my haste, I finger fumbled. Apologies.

    George

    Reply
  27. Bill Avatar
    Bill

    I suspect those that might be having a problem are putting the generated code into the incorrect place in the config file.

    Might I suggest you go to the ; in the following line in your config file, paste the line from the generator up to and including the semicolon after this line and then save the file.

    define(‘DB_COLLATE’, ”);

    Remember there should only be 1 define(‘Security_Key…
    line in your config… If you installed WP after this was included you may need to delete the one that is already in the config file.

    Reply
  28. George Jones Avatar
    George Jones

    Thanks for the response Biil,

    I actually tracked it down to being the WP-SpamFree plugin I left active and installed. I finally had to delete all plugins within the plugin directory including the one I created to narrow it down.

    Seems like the WP-SpamFree was the only one impacting as without it, everything works okay now. I really thaought it may be the WP-SuperCache, but it seems to be working okay with it active.

    Folks when they say disable all plugins, they mean it!

    George

    Reply
  29. John Baker Avatar
    John Baker

    Everything’s working OK with my site now. You have to make sure that the new define secret_key line goes between the ‘’ tags.

    Reply
  30. fneep Avatar
    fneep

    The generator produced this for me:
    define(‘SECRET_KEY’, ‘r KGUia,x04j\’=+IHR(l>;58,*KvJ~+`Ln;03&Zs1m+hy~?bG{es73)n4@]p_9?i’);

    Surely the ‘ character it generated in the middle of the string is going to stuff something up badly (premature string end) if I use that key.

    Reply
  31. 升级至wordpress2.5.1 | 简单SEO

    […] 最后,看了老外的一篇Cookie Security in WordPress 2.5文章,为了提高网站的安全性,强烈建议使用wordpress的博客对 wp-config.php 文件中的 […]

    Reply
  32. J. Burkhart Avatar
    J. Burkhart

    So like maybe give those of us who never made the level of nerd in school a small break and maybe produce an online schematic highlighting where precisely we are supposed to paste our new secret key?

    // Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
    // so make it long and complicated. You can visit http://api.wordpress.org/secret-key/1.0/
    // to get a secret key generated for you, or just make something up.
    define(‘SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

    Thanks.

    Reply
  33. Add WordPress SECRET_KEY for Secure Cookies

    […] Ryan elaborates that don’t memorize this long code as you just need to paste and forget it. They will not ask for it again. If you ever need to force all users to log out, simply change the SECRET_KEY. Note that changing SECRET_KEY will affect only login cookies. […]

    Reply
  34. Erste WordPress 2.5 Sicherheitslücke « Wordpress « Compboard Blog

    […] nach dem Eintrag des Keys neu im Backend anmelden, auch wenn dies bisher automatisch geschah. Auf boren.nu findet sich dazu ein lustiger Hinweis: “Wenn ihr mal alle angemeldeten Nutzer ausloggen wollt […]

    Reply
  35. DanjerusKurves Avatar
    DanjerusKurves

    Hullo there, I was just wondering if you could tell me if the photo uploading/posting issue with 2.5 and IE has been fixed or is even close to being fixed? My website is half articles and half erotic photography and I am heavily dependent on the ability to be able to post photos without having to try to sneak them onto somewhere puritanical like PhotoBucket. This new “upgrade” has been horrifying thus far, including replacing all of my ASCII symbols with garble — and I have almost 500 posts!!! I am not a web host or developer, so technical instructions do not help me … but please, for the love of all that is creative can you fix the photo posting issue? PLEEEEEEEEEEEEEASE… [yes, I am begging at this point]

    Reply
  36. Evert Jan Avatar
    Evert Jan

    I am having the same issue as Pete (“You do not have sufficient permissions to access this page.” in the dashboard after adding the line). Any clue about how to solve this?

    Tnx,EJ

    Reply
  37. Añade un grado más de seguridad a tu Wordpress 2.5 « HispaSystem Group Blog

    […] para identificarnos como usuario logueado sean más complejas y por consecuente más seguras. Su implementación es realmente sencilla, así que no está de más hacerlo y asegurarnos un poco […]

    Reply
  38. Erik Avatar
    Erik

    This article provides information on an important update, but unfortunately the way the information is presented is actually counterproductive.

    Currently, in the example given in this article, it is difficult to see where the random bunch of characters ends and where necessary code begins. Also, leaving that random code there is reckless and will encourage users to simply copy your code, which will create a security vulnerability as mentioned in Comment #3.

    Reply
  39. Erik Avatar
    Erik

    I am trying to post a better step-by-step HOWTO on this, but your website throws:

    The precondition on the request for the URL /weblog/wp-comments-post.php evaluated to false.

    when I click ‘submit comment.’

    Reply
  40. WordPress 2.5.1 Released, But You Can’t Reset Passwords and 2.5.2 is Close Behind; Will You Update? | WordPress Philippines

    […] Just as Filipino bloggers trooped to U.P. Diliman for the 4th iBlog Summit, WordPress 2.5.1 was released. It has over 70 security fixes and enhancements, including a SECRET_KEY in the wp-config.php file explained in-depth by Ryan Boren. […]

    Reply
  41. Asroone – عصرونه » بایگانی وبلاگ » امنیت در وردپرس 2.5

    […] : boren.nu – ma.tt برچسب […]

    Reply
  42. David Pankhurst Avatar
    David Pankhurst

    Rather than edit all my older blogs by hand (no SECRET_KEY before 2.5), I went and wrote a Plugin to add random keys automatically to my wp-config.php file.

    You’re welcome to download and use it:

    http://ActiveBlogging.com/info/how-to-change-wordpress-secret_key-plugin/

    It will either add a random key (in none present) or change the current key.

    Comments on it welcome – especially if you feel it needs anything else added…

    Reply
  43. Simon » Blog Archive » Keeping Hands Out of the Cookie Jar

    […] new version of WordPress adds additional protection for cookies. It is very much worth adding the config option mentioned, since it helps protect against problems […]

    Reply
  44. WordPress Wednesday News: WordPress 2.5.1 Released, WordPress 2008 in August, Plugins Contest, 3 Million, WordPress.com Responds to Brail Court Ban, and More : The Blog Herald

    […] 2.5 Secret Key: WordPress 2.5 now makes cookies more secure and protected from attacks with a new user-definable constant called SECRET_KEY. Ryan Boren talks more about this issue in […]

    Reply
  45. WordPress Wednesday News: Which Bookmarklet, WordPress 2.5.1 Mandatory Upgrade, WordPress Plugin Contest, WordCamp 2008 in San Francisco, and WordPress Mugs : The Blog Herald

    […] 2.5 Secret Key: WordPress 2.5 now makes cookies more secure and protected from attacks with a new user-definable constant called SECRET_KEY. Ryan Boren talks more about this issue in […]

    Reply
  46. WordPress Wednesday News: WordPressMU Updated, Press-It Coming Back, WordCamp Milan, WordPress Keys, and Plugin Contest News : The Blog Herald

    […] 2.5 Secret Key: WordPress 2.5 now makes cookies more secure and protected from attacks with a new user-definable constant called SECRET_KEY. Ryan Boren talks more about this issue in […]

    Reply
  47. WordPress Wednesday News: WordCamps Everywhere, Apache Patch for Securer Passwords, WordPress Plugin Contest, and More WordPress News : The Blog Herald

    […] writes about mod_auth_mysql and phpass, a new patch for Apache authentication which works with the new WordPress secure password storage feature. WordPress Plugin Competition: Weblog Tools Collection has announced a new WordPress Plugin […]

    Reply
  48. WordPress Wednesday News: WordPress 5 Years Old, WordCamps International, WordPress 2.6 On Track, Plugin Competition is Hot, Genko Updated : The Blog Herald

    […] Password Secure Storage: Barry Abramson writes about mod_auth_mysql and phpass, a new patch for Apache authentication which works with the new WordPress secure password storage feature. […]

    Reply
  49. » SSL and Cookies in WordPress 2.6 Ryan Boren

    […] these new cookies comes new secret keys for signing them.  Recall that WordPress 2.5 introduced SECRET_KEY as a means of adding a little extra security to cookie signing.  If you intend to use the SSL […]

    Reply
  50. SSL and Cookies in WordPress 2.6 » 70 Tricks

    […] these new cookies comes new secret keys for signing them.  Recall that WordPress 2.5 introduced SECRET_KEY as a means of adding a little extra security to cookie signing.  If you intend to use the SSL […]

    Reply
  51. Callum Avatar
    Callum

    For ultimate security, the api link should deliver the code over HTTPS to reduce the chance that it is cached / intercepted. 🙂

    Reply

Leave a Reply to Evert JanCancel reply

Discover more from Ryan Boren

Subscribe now to keep reading and get access to the full archive.

Continue reading