Simple wp-config changes to increase security and aid code debugging

February 9, 2010

By Chris Jean

Both my intermediate and advanced tips this week are simple changes you can make to your site’s wp-config.php file. One change will enhance your site’s security while the other will greatly help you as you make code changes.

Set up custom security keys

There are four security keys in your site’s wp-config.php file: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY. Each of these keys are a salt, which are used to make it more difficult for people to try compromise your site’s security. The first three keys are used to increase the security of the cookies that are used to store your user login information. The last key is used to make the nonces generated by WordPress more difficult to break.

While all of this sounds very complicated, it’s actually very easy to modify these keys to improve your site’s security. Simply follow these steps:

1. Visit this security key generator and copy the four lines it generates. Here’s an example:

   define('AUTH_KEY',        'Ch&6gygN- DB,PQj>A9,zF>gR1l&vz+.GMeI%^^&e$ZN)LoM^qC>+IS5<L+$p x/');
   define('SECURE_AUTH_KEY', 'IP64|yg=/vgv[Jc3}jvu|U6)?!@riBbXnO(%_gFM5 ffLzd$e{C@AT)YtS^[8Kd}');
   define('LOGGED_IN_KEY',   '*-dn7Dhyq-k8n&?LS,mM{*WPA98/JnnIi):_2Q$QrWdz!]?$tP>,R&tW GGj<t.]');
   define('NONCE_KEY',       ';{_U$}|6B&z[N,NyvfZ+WY[d+{OB$|.kE/iJ3<m~A~~|aM>;@0^4mJ]rGUp7P#{-');

   Don’t use these keys as the idea of this process is to generate keys unique to your site, which is what the key generator offers. So, make sure you visit the site and copy what it gives you rather than using what I have here.

2. Open up your site’s wp-config.php file.
3. Find the current listing for these keys. If they haven’t been changed yet, they will look something like the following:

   define('AUTH_KEY', 'put your unique phrase here');
   define('SECURE_AUTH_KEY', 'put your unique phrase here');
   define('LOGGED_IN_KEY', 'put your unique phrase here');
   define('NONCE_KEY', 'put your unique phrase here');

   If your wp-config.php file was set up a while ago, the last line might be missing.

4. Replace the existing key definitions with the ones that you copied earlier.
5. Save your wp-config.php file and test to ensure that your site still works.
6. You will have to log in again once you have made this change as it will reset all your authentication cookies.

You’re done. Now if someone tries to attack your site using cookies or by exploiting nonces, they are going to have a much harder time.

Improve code debugging with WP_DEBUG

This tip is geared more for people that are doing more advanced modifications, so if you aren’t doing a large amount of coding, it may not benefit you much.

By default, WordPress will hide errors and warnings from you. If you make changes to code, this can make figuring out what you messed up extremely-difficult. Fortunately, the WP_DEBUG define enables the display of these errors and warnings.

1. Open up your site’s wp-config.php file.
2. Find the following line:

   define('DB_COLLATE', '');

3. Add a couple of blank lines and then paste in the following:

   define('WP_DEBUG', true);

   This can actually be added anywhere after the <?php line at the top of the file. I typically put changes after DB_COLLATE as its easy to remember where I put all my modifications.

4. Save the file and test ensure that your site still works.

Keep in mind that warnings and errors that appear on the front-end of your site will show up for everyone, including your site’s visitors.