HOW TO: Update WordPress Secret Keys

WordPress Secret Keys are kinda similar to passwords, harder the better. Which is tough to crack? This one “3gFi67dfads8FnU9” or something like “welcome”, “password”, etc.

In the WordPress 2.6, three security keys, AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY, were added to ensure better encryption of information stored in the user’s cookies. WordPress Secret Keys are normally used for better Cookie Security. It makes cookies secure against attacks like when someone hacked into your database via an SQL injection exploit or some other tactics, etc.

Example of WordPress Secret Keys [Don’t Use This]

The 8 security keys are AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY with respective salts AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT. They will make your site is harder to hack and crack by hackers.

These keys are required for the enhanced security. The four salts are recommended, but are not required, because WordPress will generate salts for you if none are provided. They are included in wp-config.php by default for inclusiveness.

Updating WordPress Secret Keys

Open wp-config.php file using any of your favorite file editor, I would recommend Notepad++. Find the default secret keys.

Now use the new Secret Code Generator for getting the secret keys, just copy and replace them. Don’t forget to save the file!

Also do remember changing these values will invalidate all existing cookies and logout all WordPress users (including admin) on your site. Who knows, even some hackers will lose their access to your account.

Updating WordPress secret keys is one of the most recommended WordPress Security Tips. If you are not comfortable with editing wp-config.php or facing any issues, you can ask someone you trust to do that for you, because simple mess in wp-config.php can collapse your entire site.