If you’re like me and you’ve been using WordPress since before 2.5 came out, your wp-config file is probably missing a “SECRET_KEY”. This is a new, one-line entry to the config file that generates a unique cookie for your site. Some of the recent WordPress attacks have involved cookie spoofing, and this will help prevent that kind of thing.
As far as I can understand, WordPress 2.5.1 is completely secure even without a secret key. I think this is just a pre-emptive move to prevent cookie-based attacks in the future. Extra security is always a good thing.
Adding a key is very simple. Just open up your wp-config.php file and add something like this:
define(‘SECRET_KEY’, ’8675309 abc 123 secret key dont hack me’);
You don’t need to remember the phrase, so make it as long and complex as you can. If you want, you can visit this WordPress page which will generate a unique key every time you load the page.
{ 6 comments… read them below or add one }
Thanx for this post – I’m so slow on updating and things on my personally hosted sites, this could have caused me BIG problems!
If I read you correctly and version 2.5.1 is secure, then isn’t adding the secret key redundant?
db
David – That’s my understanding, yes. However, isn’t a bit of redundant security a good thing, especially on something that people work so hard to crack?
Point taken, but if the vulnerability has wrapped in Kevlar, then a strip of duct tape over the top ain’t gonna bolster your defenses. Of course, if the new 2.5.1 security is just wads of duct tape, then some extra bullet proofing will be welcome. I’ve implemented the tip regardless, but then I have been known on occasion to tie a double bow in my running shoes too
db
I would guess they always hope that it’s wrapped in Kevlar (especially if they call it a “secure” release), but people will eventually find a hole. If nothing else, this should say “Don’t mess with the cookies — you’re not getting in. Look elsewhere.”
I really don’t know enough about security to fully understand it. However, if it makes WordPress 0.1% more secure, then I’m all for it. Getting hacked just makes for a bad day.
Thanks
I needed that reminder.