Configure the WordPress Unique Authentication Keys & Salts

Using unique WordPress authentication keys and sales is very important to ensure a more secure WordPress. Also known as the WordPress security keys, they are used by WordPress to ensure better encryption of information stored in a user’s cookies when logged in to a WordPress website or blog. They also have better support for when visiting the WordPress dashboard over SSL.

This article explains what the WordPress unique authentication keys and salts (WordPress security keys) are, how they work and how to configure them.

How are the Authentication Unique Keys and Salts Used?

Like with almost any other web application, when you login to WordPress it creates a number of cookies on your computer. Two of the cookies created are:

The first  cookie is used only in the admin pages (WordPress dashboard) while the second cookie is used throughout WordPress to determine if you are logged in to WordPress or not. Note: [hash] is a random hashed value typically assigned to your session, therefore in reality the cookies name would be something like wordpress_ffc02f68bc9926448e9222893b6c29a9.

WordPress stores your authentication details (i.e. WordPress username and password) in both of the above mentioned cookies. The authentication details are hashed, hence it is almost impossible for anyone to reverse the hash and guess your password through a cookie should it be stolen. By almost impossible it also means that with today’s computers it is practically unfeasible to do so.

The authentication details in these cookies are hashed using the random pattern specified in the WordPress security keys.

What are WordPress Security Keys and Salts?

WordPress security keys are made up of four authentication keys and four hashing salts (random data) that when used together they add an extra layer to your cookies and passwords. Below is a screenshot of already configured WordPress security keys in the wp-config.php file (do not use the below sample for your installation):

If the WordPress security keys are not yet configured, they look as per the below screenshot in the wp-config.php file:

A Little Bit of WordPress Security Keys History

There are 8 WordPress security keys but not all of them have been introduced at the same time. Below is a list highlighting when each of the key or salt has been introduced:

Configuring WordPress Security Keys

To configure the WordPress security keys in wp-config.php file, follow the below procedure:

WordPress Authentication Unique Keys and Sales Notes

Improved WordPress Security

Configuring WordPress security keys is a very important step of securing your WordPress. Also should you ever doubt that your WordPress cookies have been stolen and your session is hijacked, change the WordPress security keys so the attacker’s cookies are invalidated and cannot be used to hijack your account.

This content was originally published here.