Everything about WordPress Security Keys

Jan 17, 2014

Everything about WordPress Security Keys

Jan 17, 2014

What are WordPress security Keys?

WordPress manages login sessions by storing the information in cookies instead of using PHP sessions. These cookies are secured by calculating a special hash of the username, password and “a long random string”. These “long random strings” used to calculate the cookie hash are called WordPress Security Keys. They are configured in the wp-config.php files. When a fresh WordPress site is setup the security keys look like this:


define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);


Why should you set them on your site?

These keys play a big role in securing the cookies of a site. Without them it will be relatively easy for anyone to enter a WordPress site. Hence, while setting up a new site, it is recommended that the above default keys are replaced with a randomly generated one. The keys should be very long and very difficult to guess to be most effective.

How do they work?

The following article describes the process of calculating cookies using Secret Keys in detail.

How to we generate random values for keys?

Coming up with random strings can be tedious. A service is provided by WordPress Foundation which generates random values for security keys. The keys can be randomly generated by visiting the following link:


You can copy the keys from the link above and replace them in your wp-config.php file. For example:



define(‘AUTH_KEY’, ‘g<z98-8lX|(5.DTVVFC*G O&G:R`utiR%B#,N8l7G:E2]+#n-{i?%yisDf_UIK(7’);
define(‘SECURE_AUTH_KEY’, ‘}UH1y+&Qqf]]@6&|/W,9}mTtF<F{|xzaVakp>9UvlwH$ .6&Yn[<q/W$+6?i*zKU’);
define(‘LOGGED_IN_KEY’, ‘TJBE.sz{QNLl>c-oU{^G!xj%{t-ab+h{;|a@m#n7w0iNL-dp9OCV4AWucLQz3+z/’);
define(‘NONCE_KEY’, ‘k?}x=cwsif@rb[Sc,-f5=33R$J|Qh}cJOpEA`Bm9!G|-P]}K`=EbDTw.k/wbcQ+-‘);
define(‘AUTH_SALT’, ‘{nU:W(cOx+fRY+zhHXZ|l<1R?Edp$)v|QZ su6r++Ln3eisWq<Zi{QKS&x,DRfA+’);
define(‘SECURE_AUTH_SALT’, ‘~kX[L4;|O(A% _gQ_*TXHPlE@6f^Z~-pE#T}N?tBzKwYL-,.q5{L|p9<V+S`-RG]’);
define(‘LOGGED_IN_SALT’, ‘-:Bs5&X(/+(.|f(:GfcU+w/kbq2_o%W{{bbS%&|JIGR5I1sWwD-Y3Frko>yMn*$<‘);
define(‘NONCE_SALT’, ‘Lo%|>Ai6gS7[NqgVcW.mtq-4O0s^b|} ;c9nRXdf/jQ[n!> OSQc^Kmo-kk+aw{!’);


What if I don’t set random Security Keys?

Given the importance of security keys, failing to replace these keys with random values can end up being a major security issue. In such situations, WordPress will generate its own keys, and store it in the options table in the database. If the keys are placed in the wp-config.php file at a later point, WordPress will override the values present in the database.

If WordPress auto-generates them, then why do it manually?

Inserting your own secret key is better for security. The cookies are created by combining the password hash and the secret keys. The password hash is stored in the database. Consider a situation where a hacker is able to access the contents of your database but not the files. In such a situation both the password hash and the secret key will be visible to the hacker. This will make it very easy for the hacker to get complete access to your site.

However, by storing the secret keys into the config file, they will need access to both the database and the files to be able to gain admin access for your site. Hence it is a good practice to keep the keys in the config file.

Do I have to remember these Security Keys?

No, once you place them in wp-config.php file, you do not need to remember them any more. You can change these values at any time, without having a major impact on your site.

What happens if you change them? Is it safe? Will it reset your passwords?

It is perfectly safe to change the Security Keys. They can be changed by replacing the existing values in the config file with a newly generated set of keys. When the keys are changed all cookies will be invalidated. All existing login sessions will be discarded, and the users will need to login again.

The security keys are also used to create nonces used in WordPress. Hence these too will be invalidated.

Finally, changing the security keys will not affect the user passwords in any way.

Why should you change them when your site gets hacked?

When a site gets hacked all data within the site can be considered to be compromised. One of the first recommendations is to change all passwords. However, as mentioned above, the security keys are even more important. If the hackers have the security keys, they can regain access to the site even if the passwords have been changed.

Hence it is important to change the security keys along with the passwords when a site gets hacked.



The older versions of WordPress had only a single key called SECRET_KEY. In the 2.5 release the newer keys were added. However for sake of backward compatibility the SECRET_KEY is still honoured. If only SECRET_KEY is defined then, it is used to calculate the hash.

Why are there both Keys and Salts?

Keys and salts are both combined to create the final hash.

Would love your thoughts, please comment.x