Search results

Your WordPress Site Can Get Hacked If You Don't Have This

by Tom Johnson on May 26, 2009
categories: technical-writing wordpress

I helped another person whose WordPress site was hacked this weekend. I've noticed a trend about sites that get hacked. Most of the people installed their WordPress blog either long ago, before the right security phrases were included in the wp-config.php file, or they installed WordPress through an auto-installer that didn't insert the right security phrases.

The wp-config.php file is the key file that contains your database name and password. It's the file that makes the WordPress files talk with your MySQL database, where all your posts and pages are stored. wp-config.php has also been upgraded with stronger security phrases over the past couple of years.

If you have a self-hosted WordPress site, FTP into your root directory and download the wp-config.php file. Then download the latest copy of WordPress from and compare the wp-config-sample.php file in the WordPress download with your version of wp-config.php. After the database, username, and password details, there should be a section of security phrases that looks as follows:

* Change these to different unique phrases!
* You can generate these using the {@link secret-key service}
* @since 2.6.0
define ('AUTH_KEY', 'put your unique phrase here');
define ('SECURE_AUTH_KEY', 'put your unique phrase here');
define ('LOGGED_IN_KEY', 'put your unique phrase here');
define ('NONCE_KEY', 'put your unique phrase here');

If you don't have these security phrases, just go to the URL provided and the site will automatically generate random, difficult strings for each of the security phrases. Paste the phrases into your file.

Note: Even if you have the latest version of WordPress (2.7.1), if you've been upgrading for the last couple of years, you might have omitted upgrading the wp-config.php file, since the upgrade instructions say to leave it alone. If so, check to see if you have all the security phrases in there.

I'm sure there are dozens of ways to hack a WordPress site, but certainly not having these security phrases puts your site at risk.

Caution: While you're editing the wp-config.php file, make sure you don't have any extra spaces at the bottom of the file. For some reason, if you have even one extra space at the bottom, you're site will show an error about retrieving "headers already sent." Also, if you add the character code enforcement at the top, you may suddenly see funny characters in your site where apostrophes and other character marks appear. Enforcing a character set is optional.

Sponsored content

Buy me a coffeeBuy me a coffee