Keep the Crackers Guessing with Auto-Updating WordPress Salts and Keys

Are you a website administer concerned about the security of your WordPress-based sites? Then you’re going to want to take a moment to read Why WordPress Authentication Unique Keys and Salts Are Important by codeseekah.

In it, codeseekah explains the value of this block of code, which ought to be familiar to anyone who has set up a WordPress site in recent years:

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

By making these salts & keys unique to your site, you’re ensuring that it is much, much more difficult for a malicious entity to crack your site’s security by mimicking a logged in individual.

Toward the end of the article, codeseekah recommends changing your salts & keys every so often — given that these are practically as sensitive as passwords, changing them up every now and again ensures that if there are any compromised cookies out there, they’ll be invalidated and the malicious entity will have to begin anew.

Here is a solution similar to (but not identical, mind you) what I run on my sites:

define( 'SALTY', $_SERVER[ 'HTTP_USER_AGENT' ] . $_SERVER[ 'HTTP_HOST' ] . date( 'F' ) );
define('AUTH_KEY',         SALTY . 'put your unique phrase here');
define('SECURE_AUTH_KEY',  SALTY . 'put your unique phrase here');
define('LOGGED_IN_KEY',    SALTY . 'put your unique phrase here');
define('NONCE_KEY',        SALTY . 'put your unique phrase here');
define('AUTH_SALT',        SALTY . 'put your unique phrase here');
define('SECURE_AUTH_SALT', SALTY . 'put your unique phrase here');
define('LOGGED_IN_SALT',   SALTY . 'put your unique phrase here');
define('NONCE_SALT',       SALTY . 'put your unique phrase here');

What this will do for you is ensure that not only are your salts & keys unique to your site, they’re going to be determined by your users as well, as your users’ browser user-agent will be used in building them.

The above code also ensures that your salts & keys stay fresh, basically auto-updating if your user changes or upgrades their browser (or otherwise causes its user-agent to be modified), if your site’s domain name changes, or when the month changes.

I encourage you to play around with coming up with your own “set it and forget it” list of auto-updating salts & keys. Keep in mind that you’re not going to want to use something which changes too often, unless your site is targeted at an audience using mainly public computers. If the content of your site is sensitive or secure, you might consider using code which updates the salts & keys weekly or even daily, forcing users to validate themselves more often.

2 thoughts on “Keep the Crackers Guessing with Auto-Updating WordPress Salts and Keys”

Leave a Comment

Your email address will not be published. Required fields are marked *

Use your Gravatar-enabled email address while commenting to automatically enhance your comment with some of Gravatar's open profile data.

Comments must be made in accordance with the comment policy. This site uses Akismet to reduce spam; learn how your comment data is processed.

You may use Markdown to format your comments; additionally, these HTML tags and attributes may be used: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

the Rick Beckman archive
Scroll to Top