Keep the Crackers Guessing with Auto-Updating WordPress Salts and Keys

Are you a web­site admin­is­ter con­cerned about the secu­ri­ty of your Word­Press-based sites? Then you’re going to want to take a moment to read Why Word­Press Authen­ti­ca­tion Unique Keys and Salts Are Impor­tant by codeseekah.

In it, code­seekah explains the val­ue of this block of code, which ought to be famil­iar to any­one who has set up a Word­Press site in recent years:

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

By mak­ing these salts & keys unique to your site, you’re ensur­ing that it is much, much more dif­fi­cult for a mali­cious enti­ty to crack your site’s secu­ri­ty by mim­ic­k­ing a logged in individual.

Toward the end of the arti­cle, code­seekah rec­om­mends chang­ing your salts & keys every so often — giv­en that these are prac­ti­cal­ly as sen­si­tive as pass­words, chang­ing them up every now and again ensures that if there are any com­pro­mised cook­ies out there, they’ll be inval­i­dat­ed and the mali­cious enti­ty will have to begin anew.

Here is a solu­tion sim­i­lar to (but not iden­ti­cal, mind you) what I run on my sites:

define( 'SALTY', $_SERVER[ 'HTTP_USER_AGENT' ] . $_SERVER[ 'HTTP_HOST' ] . date( 'F' ) );
define('AUTH_KEY',         SALTY . 'put your unique phrase here');
define('SECURE_AUTH_KEY',  SALTY . 'put your unique phrase here');
define('LOGGED_IN_KEY',    SALTY . 'put your unique phrase here');
define('NONCE_KEY',        SALTY . 'put your unique phrase here');
define('AUTH_SALT',        SALTY . 'put your unique phrase here');
define('SECURE_AUTH_SALT', SALTY . 'put your unique phrase here');
define('LOGGED_IN_SALT',   SALTY . 'put your unique phrase here');
define('NONCE_SALT',       SALTY . 'put your unique phrase here');

What this will do for you is ensure that not only are your salts & keys unique to your site, they’re going to be deter­mined by your users as well, as your users’ brows­er user-agent will be used in build­ing them.

The above code also ensures that your salts & keys stay fresh, basi­cal­ly auto-updat­ing if your user changes or upgrades their brows­er (or oth­er­wise caus­es its user-agent to be mod­i­fied), if your site’s domain name changes, or when the month changes.

I encour­age you to play around with com­ing up with your own “set it and for­get it” list of auto-updat­ing salts & keys. Keep in mind that you’re not going to want to use some­thing which changes too often, unless your site is tar­get­ed at an audi­ence using main­ly pub­lic com­put­ers. If the con­tent of your site is sen­si­tive or secure, you might con­sid­er using code which updates the salts & keys week­ly or even dai­ly, forc­ing users to val­i­date them­selves more often.


Posted

in

by

Tags:

Comments

2 responses to “Keep the Crackers Guessing with Auto-Updating WordPress Salts and Keys”

  1. Steve Avatar
    Steve

    Awe­some idea! Thanks.

  2. john cole Avatar
    john cole

    Agreed! Thanks for the great idea!

Join the Discussion

Your email address will not be published. Required fields are marked *

Use your Gravatar-enabled email address while commenting to automatically enhance your comment with some of Gravatar's open profile data.

Comments must be made in accordance with the comment policy. This site uses Akismet to reduce spam; learn how your comment data is processed.

You may use Markdown to format your comments; additionally, these HTML tags and attributes may be used: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Rick Beckman