Adobe Robohelp

Get new posts delivered straight to your inbox.

Subscriber count: 3,220

Stitcher radio
Adobe Robohelp

Your WordPress Site Can Get Hacked If You Don't Have This

May 26, 2009 • general, wordpress

I helped another person whose WordPress site was hacked this weekend. I've noticed a trend about sites that get hacked. Most of the people installed their WordPress blog either long ago, before the right security phrases were included in the wp-config.php file, or they installed WordPress through an auto-installer that didn't insert the right security phrases.

The wp-config.php file is the key file that contains your database name and password. It's the file that makes the WordPress files talk with your MySQL database, where all your posts and pages are stored. wp-config.php has also been upgraded with stronger security phrases over the past couple of years.

If you have a self-hosted WordPress site, FTP into your root directory and download the wp-config.php file. Then download the latest copy of WordPress from and compare the wp-config-sample.php file in the WordPress download with your version of wp-config.php. After the database, username, and password details, there should be a section of security phrases that looks as follows:

* Change these to different unique phrases!
* You can generate these using the {@link secret-key service}
* @since 2.6.0
define ('AUTH_KEY', 'put your unique phrase here');
define ('SECURE_AUTH_KEY', 'put your unique phrase here');
define ('LOGGED_IN_KEY', 'put your unique phrase here');
define ('NONCE_KEY', 'put your unique phrase here');

If you don't have these security phrases, just go to the URL provided and the site will automatically generate random, difficult strings for each of the security phrases. Paste the phrases into your file.

Note: Even if you have the latest version of WordPress (2.7.1), if you've been upgrading for the last couple of years, you might have omitted upgrading the wp-config.php file, since the upgrade instructions say to leave it alone. If so, check to see if you have all the security phrases in there.

I'm sure there are dozens of ways to hack a WordPress site, but certainly not having these security phrases puts your site at risk.

Caution: While you're editing the wp-config.php file, make sure you don't have any extra spaces at the bottom of the file. For some reason, if you have even one extra space at the bottom, you're site will show an error about retrieving "headers already sent." Also, if you add the character code enforcement at the top, you may suddenly see funny characters in your site where apostrophes and other character marks appear. Enforcing a character set is optional.

Get new posts delivered straight to your inbox.

Subscriber count: 3,220

About Tom Johnson

Tom Johnson

I'm a technical writer based in the California San Francisco Bay area. Topics I write about on this blog include technical writing, authoring and publishing tools, API documentation, tech comm trends, visual communication, technical writing career advice, information architecture and findability, developer documentation, and more. If you're a professional or aspiring technical writer, be sure to subscribe to email updates using the form above. You can learn more about me here.