Due to my growth & multiple changes in my worldview over the years, this post is considered “archived” and is offered here for historical purposes only. Opinions offered above may not necessarily reflect my current beliefs, though you're still more than welcome to participate in the comments, discussing anything from the post. Thank you for understanding.
Are you a website administer concerned about the security of your WordPress-based sites? Then you’re going to want to take a moment to read Why WordPress Authentication Unique Keys and Salts Are Important by codeseekah.
In it, codeseekah explains the value of this block of code, which ought to be familiar to anyone who has set up a WordPress site in recent years:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');By making these salts & keys unique to your site, you’re ensuring that it is much, much more difficult for a malicious entity to crack your site’s security by mimicking a logged in individual.
Toward the end of the article, codeseekah recommends changing your salts & keys every so often — given that these are practically as sensitive as passwords, changing them up every now and again ensures that if there are any compromised cookies out there, they’ll be invalidated and the malicious entity will have to begin anew.
Here is a solution similar to (but not identical, mind you) what I run on my sites:
define( 'SALTY', $_SERVER[ 'HTTP_USER_AGENT' ] . $_SERVER[ 'HTTP_HOST' ] . date( 'F' ) );
define('AUTH_KEY', SALTY . 'put your unique phrase here');
define('SECURE_AUTH_KEY', SALTY . 'put your unique phrase here');
define('LOGGED_IN_KEY', SALTY . 'put your unique phrase here');
define('NONCE_KEY', SALTY . 'put your unique phrase here');
define('AUTH_SALT', SALTY . 'put your unique phrase here');
define('SECURE_AUTH_SALT', SALTY . 'put your unique phrase here');
define('LOGGED_IN_SALT', SALTY . 'put your unique phrase here');
define('NONCE_SALT', SALTY . 'put your unique phrase here');What this will do for you is ensure that not only are your salts & keys unique to your site, they’re going to be determined by your users as well, as your users’ browser user-agent will be used in building them.
The above code also ensures that your salts & keys stay fresh, basically auto-updating if your user changes or upgrades their browser (or otherwise causes its user-agent to be modified), if your site’s domain name changes, or when the month changes.
I encourage you to play around with coming up with your own “set it and forget it” list of auto-updating salts & keys. Keep in mind that you’re not going to want to use something which changes too often, unless your site is targeted at an audience using mainly public computers. If the content of your site is sensitive or secure, you might consider using code which updates the salts & keys weekly or even daily, forcing users to validate themselves more often.
{ 2 comments in the conversation. Add yours! }
Awesome idea! Thanks.
Agreed! Thanks for the great idea!