WordPress Security Keys

wordpress-logo-stacked-rgb

Using strong security keys is an important part of securing WordPress against external attack. WordPress security Keys refer to four authentication keys and four hashing salts (random bits of data) that work to add an extra layer of security to your cookies and password. The security keys are defined in your WordPress configuration file aka wp-config.php.

Out of the box there are keys predefined however if you want a super strong WordPress installation, you should really change these to something else. As of WordPress 3.0, there are eight security keys in the following format:

  • WordPress 2.6: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY
  • WordPress 2.7: NONCE_KEY
  • WordPress 3.0: AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT

View the Security Keys

1. Edit the wp-config.php file

vi /var/www/example.com/wp-config.php

Example:

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

/**#@-*/

Each key needs to be completely random and different from the others. You can do this manually or you can use the WordPress online service for an automatic key-generation.

Official WordPress Secret Key Generator (opens a new window)

You can refresh the page to generate new keys until you find the key set you desire the most

You will need to copy the entire block of code and replace the eight default keys with the eight random ones.

Other Considerations

  • Never reveal your security keys to anyone
  • Any logged in users will need to log back in if you change the keys
  • Security keys can be changed at anytime

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

How to Install Curl into PHP5 and Apache

linux-logo-300x300

Curl is a library that lets your make HTTP requests in PHP.

Most hosting providers have cURL installed already but if you have to install it on your self managed server with Apache and PHP5 installed, then follow this step by step process.

1. Install packages

apt-get install curl libcurl3 libcurl3-dev php5-curl php5-mcrypt

2. Open php.ini and add extension (my php.ini file is located at /etc/php5/apache2/php.ini)

vi /etc/php5/apache2/php.ini
extension=curl.so

3. Restart Apache

/etc/init.d/apache2 restart

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

A Collection of Wordlists

You are only as effective as the wordlist you use, over the years I have collected a fair few of them and will bring them to you all in one place.

Common

10k_common.txt 82KB

2012commonpw.txt 1KB

All_Common_Router_Passwords.txt 3.3KB

commonpasswords.txt 3.3KB

Random

AllPasswords.txt 58MB

dic.txt 8.6MB

largelist.txt

darkc0de.txt 17MB

smalllist.txt 26MB

realhuman_phill.txt 683.2KB

rockyou.txt 133.4KB

Openwall

pwgen-nontty.gz 118.7MB

pwgen-tty.gz 120.4MB

Wordlists-20031009.txt 613MB

Worst Passwords

500-worst-passwords.txt 3.4KB

I will add more as I get them.

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Add User to Sudo Without Prompting Password

linux-logo-300x300

You might need to add users to sudoers but when they elevate to sudo they will be prompted for a password, this process will add the user to sudoers and also allow them to run commands without being prompted for a sudo password.

This works for Linux Ubuntu or Debian

Process

1. Install Sudo (if not currently installed)

apt-get install sudo

2. Edit Sudo configuration

visudo

3. Add this line at the end of the configuration file (change sally to the username you are using)

sally ALL=(ALL) NOPASSWD: ALL

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

How to Reveal Hidden Passwords in Web Browsers

In many places where you need to input your password to gain access, authorise or confirm a transaction, whenever you type passwords into the input box, the characters automatically change into asterisks or bullets. This is to protect your password from straying eyes.

There is a simple trick to find out what is behind the bullet points or asterisks in web browsers.

The hidden fields are disguised using simple HTML or CSS so just changing the values on the fly will reveal what is behind the bullets or asterisks.

Google Chrome

In this example I am using Linkedin as a login area.

Right click on the password box and click on “Inspect element”

Linkedin Login Inspect Element

At the bottom of your screen it will be sectioned off with a whole lot of code, you will only need to focus on the code highlighted in blue.

Linkedin Element Password Linkedin Element PasswordLinkedin Element Password

Change type=password to type=text

Once you change that the password is revealed.

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.