Search results

Your WordPress Site Can Get Hacked If You Don't Have This

by Tom Johnson on May 26, 2009
categories: technical-writing wordpress

I helped another person whose WordPress site was hacked this weekend. I've noticed a trend about sites that get hacked. Most of the people installed their WordPress blog either long ago, before the right security phrases were included in the wp-config.php file, or they installed WordPress through an auto-installer that didn't insert the right security phrases.

The wp-config.php file is the key file that contains your database name and password. It's the file that makes the WordPress files talk with your MySQL database, where all your posts and pages are stored. wp-config.php has also been upgraded with stronger security phrases over the past couple of years.

If you have a self-hosted WordPress site, FTP into your root directory and download the wp-config.php file. Then download the latest copy of WordPress from and compare the wp-config-sample.php file in the WordPress download with your version of wp-config.php. After the database, username, and password details, there should be a section of security phrases that looks as follows:

* Change these to different unique phrases!
* You can generate these using the {@link secret-key service}
* @since 2.6.0
define ('AUTH_KEY', 'put your unique phrase here');
define ('SECURE_AUTH_KEY', 'put your unique phrase here');
define ('LOGGED_IN_KEY', 'put your unique phrase here');
define ('NONCE_KEY', 'put your unique phrase here');

If you don't have these security phrases, just go to the URL provided and the site will automatically generate random, difficult strings for each of the security phrases. Paste the phrases into your file.

Note: Even if you have the latest version of WordPress (2.7.1), if you've been upgrading for the last couple of years, you might have omitted upgrading the wp-config.php file, since the upgrade instructions say to leave it alone. If so, check to see if you have all the security phrases in there.

I'm sure there are dozens of ways to hack a WordPress site, but certainly not having these security phrases puts your site at risk.

Caution: While you're editing the wp-config.php file, make sure you don't have any extra spaces at the bottom of the file. For some reason, if you have even one extra space at the bottom, you're site will show an error about retrieving "headers already sent." Also, if you add the character code enforcement at the top, you may suddenly see funny characters in your site where apostrophes and other character marks appear. Enforcing a character set is optional.

About Tom Johnson

Tom Johnson

I'm an API technical writer based in the Seattle area. On this blog, I write about topics related to technical writing and communication — such as software documentation, API documentation, AI, information architecture, content strategy, writing processes, plain language, tech comm careers, and more. Check out my API documentation course if you're looking for more info about documenting APIs. Or see my posts on AI and AI course section for more on the latest in AI and tech comm.

If you're a technical writer and want to keep on top of the latest trends in the tech comm, be sure to subscribe to email updates below. You can also learn more about me or contact me. Finally, note that the opinions I express on my blog are my own points of view, not that of my employer.