Don't forget to add a SECRET_KEY to WordPress

by mickey on April 28, 2008

If you’re like me and you’ve been using WordPress since before 2.5 came out, your wp-config file is probably missing a “SECRET_KEY”.  This is a new, one-line entry to the config file that generates a unique cookie for your site.  Some of the recent WordPress attacks have involved cookie spoofing, and this will help prevent that kind of thing.

As far as I can understand, WordPress 2.5.1 is completely secure even without a secret key.  I think this is just a pre-emptive move to prevent cookie-based attacks in the future.  Extra security is always a good thing.

Adding a key is very simple.  Just open up your wp-config.php file and add something like this:

define(‘SECRET_KEY’, ’8675309 abc 123 secret key dont hack me’);

You don’t need to remember the phrase, so make it as long and complex as you can.  If you want, you can visit this WordPress page which will generate a unique key every time you load the page.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Tagged as: cookies, secret key, security, WordPress

  • http://hawksdomain.wordpress.com Paula Hawk

    Thanx for this post – I’m so slow on updating and things on my personally hosted sites, this could have caused me BIG problems! :)

  • http://www.sciencebase.com/ David Bradley

    If I read you correctly and version 2.5.1 is secure, then isn’t adding the secret key redundant?

    db

  • Mickey

    David – That’s my understanding, yes. However, isn’t a bit of redundant security a good thing, especially on something that people work so hard to crack?

  • http://www.sciencebase.com/ David Bradley

    Point taken, but if the vulnerability has wrapped in Kevlar, then a strip of duct tape over the top ain’t gonna bolster your defenses. Of course, if the new 2.5.1 security is just wads of duct tape, then some extra bullet proofing will be welcome. I’ve implemented the tip regardless, but then I have been known on occasion to tie a double bow in my running shoes too ;-)

    db

  • Mickey

    I would guess they always hope that it’s wrapped in Kevlar (especially if they call it a “secure” release), but people will eventually find a hole. If nothing else, this should say “Don’t mess with the cookies — you’re not getting in. Look elsewhere.”

    I really don’t know enough about security to fully understand it. However, if it makes WordPress 0.1% more secure, then I’m all for it. Getting hacked just makes for a bad day.

  • http://elainevigneault.com/ Elaine Vigneault

    Thanks :) I needed that reminder.

Previous post:

Next post: