Security Keys in WordPress are a string of random characters used for authorization and encryption of cookies generated by WordPress. These security keys can be defined by user in the wp-config.php
file at any point in time. During initial installation, it is not necessary for a user to provide these keys to install or run WordPress. If a user does not provide these keys in their wp-config.php
file, then WordPress automatically generates these keys.
Example:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
IImportant: You must generate your own unique security key from the WordPress key generator.
Generate Your Unique Security Key
The benefit of including these keys is that by deleting or resetting them a WordPress admin can force logout for all logged in users.
There are currently four security keys AUTH_KEY
, SECURE_AUTH_KEY
, LOGGED_IN_KEY
and NONCE_KEY
. To further strengthen these keys a layer of SALTs is added to them which is kind of like an extra password for these keys.
This post was originally published in the wpbeginner glossary.