Secret Key

Ok… so I’m a WordPress + Php functions idiot.  I have no idea how all these codes work.  All I know is how to play about with the features as provided for in my yahoo domain server and get the blog to post the stuff I write.

I have no idea why my WordPress version isn’t automatically upgraded even though I set it to be auto-upgraded.  My WP is still stuck at ver 2.0.2 and based on what I’ve read so far, using a web FTP server to upload all the files, plus all the extra time I’ll need to "trial and error" my way through, it’s going to take me AGES to upgrade everything properly.

While going through the notes however, I came across this "secret key" thing that should help strengthen the blog.  Here’s what I found (and added)…


Add the SECRET_KEY definition to wp-config.php

If there is not a SECRET_KEY define statement in your wp-config.php file, add one. Beginning with Version 2.5, a SECRET_KEY for salting (strengthening) user passwords was added to the wp-config.php file. To improve the chances your user passwords are not ‘hacked’ here’s an example of the line to add to your wp-config.php file:

define('SECRET_KEY', 'RF63k93hb9shj3klvbn37sjd9a9n"'); // Change this to a unique phrase.

It is most important to change the default SECRET_KEY value to something other than ‘put your unique phrase here’. Visit the WordPress secret key generation site to get a SECRET_KEY generated for you.

Released with Version 2.5, this new, optional entry, called SECRET_KEY, causes better encryption of information stored in the user’s cookies. The secret key is a unique phrase.

// Change SECRET_KEY to a unique phrase.  You won't have to remember it later,
// so make it long and complicated.  You can visit
// to get a phrase generated for you, or just make something up.
define('SECRET_KEY', 'put your unique phrase here'); // Change this to a unique phrase.

Here’s a detailed explanation on the wp-hackers email list from Mark Jaquith in response to the question, "What is the SECRET_KEY for?"

It is a hashing salt that is not readable through the database. "And what is a salt?" A salt is something that adds randomness to a hash input and makes it much harder to crack. For example:

In these examples, consider that the password is "test", but that the cracker does not know this (indeed, this is what he’s trying to determine). And yes, I’m glossing over some stuff, but this is the simplistic explanation.

Easy to crack: md5(‘test’);

Since ‘test’ is a short dictionary word, crackers who have the output hash can easily use rainbow tables (dictionary lookup table) to crack that password in seconds, or minutes.

Harder to crack: md5(‘test’ . $known_salt);

In this case, the cracker has to generate a new rainbow table that adds the $known_salt value to their table’s hashes. This slows them down.

Even harder to crack: md5(‘test’ . $unknown_salt);

In this case, they don’t know the salt. And since a good salt is something very random, like "888a7da62429ba6ad3cb3c76a09641fc" — they can’t use rainbow tables to help them. They have to just "brute force" their way through all the possible combinations. This is a huge hurdle. Something that might take 10 minutes before could now take years.


Really hope this stops any backdoor entry into my blog by hackers.  Sigh.  🙁