Sponsored content

Search results

Your WordPress Site Can Get Hacked If You Don't Have This

by Tom Johnson on May 26, 2009 •
categories: technical-writing wordpress

I helped another person whose WordPress site was hacked this weekend. I've noticed a trend about sites that get hacked. Most of the people installed their WordPress blog either long ago, before the right security phrases were included in the wp-config.php file, or they installed WordPress through an auto-installer that didn't insert the right security phrases.

The wp-config.php file is the key file that contains your database name and password. It's the file that makes the WordPress files talk with your MySQL database, where all your posts and pages are stored. wp-config.php has also been upgraded with stronger security phrases over the past couple of years.

If you have a self-hosted WordPress site, FTP into your root directory and download the wp-config.php file. Then download the latest copy of WordPress from and compare the wp-config-sample.php file in the WordPress download with your version of wp-config.php. After the database, username, and password details, there should be a section of security phrases that looks as follows:

* Change these to different unique phrases!
* You can generate these using the {@link secret-key service}
* @since 2.6.0
define ('AUTH_KEY', 'put your unique phrase here');
define ('SECURE_AUTH_KEY', 'put your unique phrase here');
define ('LOGGED_IN_KEY', 'put your unique phrase here');
define ('NONCE_KEY', 'put your unique phrase here');

If you don't have these security phrases, just go to the URL provided and the site will automatically generate random, difficult strings for each of the security phrases. Paste the phrases into your file.

Note: Even if you have the latest version of WordPress (2.7.1), if you've been upgrading for the last couple of years, you might have omitted upgrading the wp-config.php file, since the upgrade instructions say to leave it alone. If so, check to see if you have all the security phrases in there.

I'm sure there are dozens of ways to hack a WordPress site, but certainly not having these security phrases puts your site at risk.

Caution: While you're editing the wp-config.php file, make sure you don't have any extra spaces at the bottom of the file. For some reason, if you have even one extra space at the bottom, you're site will show an error about retrieving "headers already sent." Also, if you add the character code enforcement at the top, you may suddenly see funny characters in your site where apostrophes and other character marks appear. Enforcing a character set is optional.

Sponsored content

Buy me a coffeeBuy me a coffee
follow us in feedly

About Tom Johnson

Tom Johnson

I'm a technical writer / API doc specialist based in the Seattle area. In this blog, I write about topics related to technical writing and communication — such as software documentation, API documentation, visual communication, information architecture, writing techniques, plain language, tech comm careers, and more. Check out simplifying complexity and API documentation for some deep dives into these topics. If you're a technical writer and want to keep on top of the latest trends in the field, be sure to subscribe to email updates. You can also learn more about me or contact me.