WordPress Security Keys

Using strong security keys is an important part of securing WordPress against external attack. WordPress security Keys refer to four authentication keys and four hashing salts (random bits of data) that work to add an extra layer of security to your cookies and password. The security keys are defined in your WordPress configuration file aka wp-config.php.

Out of the box there are keys predefined however if you want a super strong WordPress installation, you should really change these to something else. As of WordPress 3.0, there are eight security keys in the following format:

  • WordPress 2.6: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY
  • WordPress 2.7: NONCE_KEY
  • WordPress 3.0: AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT

View the Security Keys

1. Edit the wp-config.php file

Example:

Each key needs to be completely random and different from the others. You can do this manually or you can use the WordPress online service for an automatic key-generation.

Official WordPress Secret Key Generator (opens a new window)

You can refresh the page to generate new keys until you find the key set you desire the most

You will need to copy the entire block of code and replace the eight default keys with the eight random ones.

Other Considerations

  • Never reveal your security keys to anyone
  • Any logged in users will need to log back in if you change the keys
  • Security keys can be changed at anytime

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

How to Install Curl into PHP5 and Apache

Curl is a library that lets your make HTTP requests in PHP.

Most hosting providers have cURL installed already but if you have to install it on your self managed server with Apache and PHP5 installed, then follow this step by step process.

1. Install packages

2. Open php.ini and add extension (my php.ini file is located at /etc/php5/apache2/php.ini)

3. Restart Apache

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

A Collection of Wordlists

You are only as effective as the wordlist you use, over the years I have collected a fair few of them and will bring them to you all in one place.

Common

10k_common.txt 82KB

2012commonpw.txt 1KB

All_Common_Router_Passwords.txt 3.3KB

commonpasswords.txt 3.3KB

Random

AllPasswords.txt 58MB

dic.txt 8.6MB

largelist.txt

darkc0de.txt 17MB

smalllist.txt 26MB

realhuman_phill.txt 683.2KB

rockyou.txt 133.4KB

Openwall

pwgen-nontty.gz 118.7MB

pwgen-tty.gz 120.4MB

Wordlists-20031009.txt 613MB

Worst Passwords

500-worst-passwords.txt 3.4KB

I will add more as I get them.

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Add User to Sudo Without Prompting Password

You might need to add users to sudoers but when they elevate to sudo they will be prompted for a password, this process will add the user to sudoers and also allow them to run commands without being prompted for a sudo password.

This works for Linux Ubuntu or Debian

Process

1. Install Sudo (if not currently installed)

2. Edit Sudo configuration

3. Add this line at the end of the configuration file (change sally to the username you are using)

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

How to Reveal Hidden Passwords in Web Browsers

In many places where you need to input your password to gain access, authorise or confirm a transaction, whenever you type passwords into the input box, the characters automatically change into asterisks or bullets. This is to protect your password from straying eyes.

There is a simple trick to find out what is behind the bullet points or asterisks in web browsers.

The hidden fields are disguised using simple HTML or CSS so just changing the values on the fly will reveal what is behind the bullets or asterisks.

Google Chrome

In this example I am using Linkedin as a login area.

Right click on the password box and click on “Inspect element”

At the bottom of your screen it will be sectioned off with a whole lot of code, you will only need to focus on the code highlighted in blue.

Change type=password to type=text

Once you change that the password is revealed.

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.