Cookie Security in WordPress 2.5
To make cookies secure against attacks where someone has managed to get into your database through an SQL injection exploit or other means, WordPress 2.5 introduced a user-definable constant called SECRET_KEY. If you look at the sample wp-config.php shipped with 2.5, you’ll see these lines.
// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(‘SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase
If you upgraded from a previous version of WordPress you probably won’t have these lines in your wp-config.php. Regardless, defining SECRET_KEY and giving it a unique phrase will give your cookies some added security. To make adding a secret key easier, we’ve created a web page that will create the full statement needed to define SECRET_KEY complete with a strong, randomly-generated phrase. Go to api.wordpress.org/secret-key/1.0/ for a line you can cut-and-paste into your wp-config.php file. Here’s some sample output:
define('SECRET_KEY', 'C~1Vr5|!meuT$j`Y.:i&*Cd=O^N0XWD_HzHruzl-?R%LPzlzQ( q^KSW[dmcK;vw');
Cut-and-paste that entire line into your wp-config.php. You can put it after the define statements for the database settings. If you already have SECRET_KEY defined in your wp-config.php, delete the existing line and add the new line. After you add your SECRET_KEY, all users on your blog that are logged in will be logged out. They’ll have to log back in to get a new cookie. If you ever need to force all users to log out, changing SECRET_KEY is an easy way to do so. Don’t worry that changing SECRET_KEY will affect passwords; it affects only login cookies. And don’t worry about having to remember that long random phrase. WordPress will never ask you to input that phrase. It’s just there to act a piece of randomness, frozen in time, for use in creating more secure login cookies for your blog.
Update: As mentioned in the comments, don’t directly copy the example I have above. Visit api.wordpress.org/secret-key/1.0/ to get your own secret key. Get a different secret for each of your blogs.
When you add the SECRET_KEY line, add it after the ‘<?php’ tag on the first line. It has to be between the first line and the last line of wp-config.php, in between the ‘<?php’ and ‘?>’ tags. In a future version of WP, we’ll try to do this for you automatically if your server config allows WP to write to your wp-config.php file. That way you won’t have to edit any PHP files.
Trackbacks
- Añade un grado más de seguridad a tu Wordpress 2.5 | aNieto2K
- 2718.us blog - The SECRET_KEY in WordPress
- DrYang MedBlog : Stress your weaknesses, not strengths! » Blog Archive » » Cookie Security in WordPress 2.5 boren.nu
- Links: Freedom and Security | K-Squared Ramblings
- Noticias de Bitacoras.com » Añade más seguridad a WordPress 2.5
- 让wordpress2.5的小甜饼干更安全 - 冰古blog
- Añadir mas seguridad a Wordpress 2.5 - TheDaVis Blog
- Cómo hacer tu blog un poco más seguro » blogpocket 7.0
- 升级至wordpress2.5.1 | 简单SEO
- Add WordPress SECRET_KEY for Secure Cookies
- Erste WordPress 2.5 Sicherheitslücke « Wordpress « Compboard Blog
- Añade un grado más de seguridad a tu Wordpress 2.5 « HispaSystem Group Blog
- WordPress 2.5.1 Released, But You Can’t Reset Passwords and 2.5.2 is Close Behind; Will You Update? | WordPress Philippines
- Asroone - عصرونه » بایگانی وبلاگ » امنیت در وردپرس 2.5
- Simon » Blog Archive » Keeping Hands Out of the Cookie Jar
- WordPress Wednesday News: WordPress 2.5.1 Released, WordPress 2008 in August, Plugins Contest, 3 Million, WordPress.com Responds to Brail Court Ban, and More : The Blog Herald
- WordPress Wednesday News: Which Bookmarklet, WordPress 2.5.1 Mandatory Upgrade, WordPress Plugin Contest, WordCamp 2008 in San Francisco, and WordPress Mugs : The Blog Herald
- WordPress Wednesday News: WordPressMU Updated, Press-It Coming Back, WordCamp Milan, WordPress Keys, and Plugin Contest News : The Blog Herald
- WordPress Wednesday News: WordCamps Everywhere, Apache Patch for Securer Passwords, WordPress Plugin Contest, and More WordPress News : The Blog Herald
- WordPress Wednesday News: WordPress 5 Years Old, WordCamps International, WordPress 2.6 On Track, Plugin Competition is Hot, Genko Updated : The Blog Herald
- » SSL and Cookies in WordPress 2.6 Ryan Boren
- SSL and Cookies in WordPress 2.6 » 70 Tricks
Comments are closed.
OK, I tried this. Went to api.wordpress.org/secret-key/1.0/
copied the whole line generated and pasted it into my wp-config.php file.
After that my Dashboard and Blog were both prefixed by a horizontal line with that line of text and secret key.
So I reversed the procedure and now I’m back where I started feeling a whole lot safer than those few seconds when I was protected.
Public service announcement: do not use the sample output listed above! The point here is for your key to be random and unique. Use the generator, and use a different one for each of your WordPress 2.5+ installs!
Plus, this simple action appears to have broken my blog. Since that aborted operation referred to above, whenever I go to ‘post’ anything or ‘edit’ a draft or change a link, and then hit the ‘save’ button I am returned to a blank screen.
From there I have to manually edit the address bar on my browser to go back to wp-admin.
Any ideas about fixing this would be appreciated.
I did not use the ‘sample output’ listed above. I used the generator as suggested.
Good to know! Thanks! I am going to do it on my WP installation.
Do you know if there are any other changes made in WordPress 2.5 that may not have been implemented for sites that upgraded from previous versions?
Bob, that should be the only thing. The upgrade handles bringing everything in the database up-to-date, but we don’t always have permissions to write to wp-config.php to update things in there.
John Baker, it sounds like you may have put the line at the end of the file, then when you removed it, you left some blank space at the end. Web servers are very sensitive to blank lines in the early stages of generating a page, because a blank line indicates the separation between page information and page content.
Make sure there’s nothing, including spaces or blank lines, or even a line break, at the end of the file after the ?> code.
It sounds interesting. I will try this later.
John, have you solved your problem?
works just fine for my site.. i just hope it won’t affect on others stuffs in the near future..
tnx..
You don’t really have to go to that API URL to get your code, you can either generate one yourself using your favorite Password Keeper (I use KeepassX) or use the Password generator at https://www.grc.com/passwords.htm
and use it. I did wrote an article on this early this month.
http://brajeshwar.net/wordpress-25-secret-key/
Thanks for the tip about the blank spaces at the end of my file, Kelson. That fixed the erratic behaviour of the blog.
But doesn’t explain why the secret key showed up at the top of my blog and my dashboard.
If I put the line below “require_once(ABSPATH.’wp-settings.php’);” then when I try to view my dashboard I get the error message “You do not have sufficient permissions to access this page.”
Just for your info.
Is it any use adding SECRET_KEY AFTER installing WP2.5?
Thanks for pointing this extra update out – it worked a treat.
John – did you make sure to add the full line after ” if it was outside these two tags it would certainly be displayed at the top of all your pages.
Hopefully you’ve got it working by now?
nice! i love when there are new security improvments to wordpress.
If you still paranoid about security, copy the line in the generator and add some other characters of you choice, it will be stronger
Hey all, I just upgrade to 2.5.1 from a fresh 2.5 install. My front-end of the site displays properly, but when I eith try to login form the front-end or access the wp-admin section, it displays a black page.
I can not update my blog at this point. Hase anyone experienced this, or have any suggestions as to what could be causing it?
George
In my last comment, I meant to share that it is a blank admin page, not a “black one” in my haste, I finger fumbled. Apologies.
George
I suspect those that might be having a problem are putting the generated code into the incorrect place in the config file.
Might I suggest you go to the ; in the following line in your config file, paste the line from the generator up to and including the semicolon after this line and then save the file.
define(‘DB_COLLATE’, ”);
Remember there should only be 1 define(‘Security_Key…
line in your config… If you installed WP after this was included you may need to delete the one that is already in the config file.
Thanks for the response Biil,
I actually tracked it down to being the WP-SpamFree plugin I left active and installed. I finally had to delete all plugins within the plugin directory including the one I created to narrow it down.
Seems like the WP-SpamFree was the only one impacting as without it, everything works okay now. I really thaought it may be the WP-SuperCache, but it seems to be working okay with it active.
Folks when they say disable all plugins, they mean it!
George
Everything’s working OK with my site now. You have to make sure that the new define secret_key line goes between the ‘’ tags.
The generator produced this for me:
define(‘SECRET_KEY’, ‘r KGUia,x04j\’=+IHR(l>;58,*KvJ~+`Ln;03&Zs1m+hy~?bG{es73)n4@]p_9?i’);
Surely the ‘ character it generated in the middle of the string is going to stuff something up badly (premature string end) if I use that key.
So like maybe give those of us who never made the level of nerd in school a small break and maybe produce an online schematic highlighting where precisely we are supposed to paste our new secret key?
// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit http://api.wordpress.org/secret-key/1.0/
// to get a secret key generated for you, or just make something up.
define(‘SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
Thanks.
Hullo there, I was just wondering if you could tell me if the photo uploading/posting issue with 2.5 and IE has been fixed or is even close to being fixed? My website is half articles and half erotic photography and I am heavily dependent on the ability to be able to post photos without having to try to sneak them onto somewhere puritanical like PhotoBucket. This new “upgrade” has been horrifying thus far, including replacing all of my ASCII symbols with garble — and I have almost 500 posts!!! I am not a web host or developer, so technical instructions do not help me … but please, for the love of all that is creative can you fix the photo posting issue? PLEEEEEEEEEEEEEASE… [yes, I am begging at this point]
I am having the same issue as Pete (“You do not have sufficient permissions to access this page.” in the dashboard after adding the line). Any clue about how to solve this?
Tnx,EJ
This article provides information on an important update, but unfortunately the way the information is presented is actually counterproductive.
Currently, in the example given in this article, it is difficult to see where the random bunch of characters ends and where necessary code begins. Also, leaving that random code there is reckless and will encourage users to simply copy your code, which will create a security vulnerability as mentioned in Comment #3.
I am trying to post a better step-by-step HOWTO on this, but your website throws:
The precondition on the request for the URL /weblog/wp-comments-post.php evaluated to false.
when I click ‘submit comment.’
Rather than edit all my older blogs by hand (no SECRET_KEY before 2.5), I went and wrote a Plugin to add random keys automatically to my wp-config.php file.
You’re welcome to download and use it:
http://ActiveBlogging.com/info/how-to-change-wordpress-secret_key-plugin/
It will either add a random key (in none present) or change the current key.
Comments on it welcome – especially if you feel it needs anything else added…
For ultimate security, the api link should deliver the code over HTTPS to reduce the chance that it is cached / intercepted.