WordPress Security Key
ID |
wordpress_security_key |
Severity |
high |
Vendor |
WordPress |
Family |
Encryption Keys |
Description
WordPress security keys are encryption tools that protect your login information. They work by locking and unlocking your passwords and other details.
When you log in to your WordPress site, cookies store your login information on your computer. This is why you don’t need to log in every time you reload the page or revisit your site.
All this information is stored in an encrypted form (generated by WordPress) using random strings of characters. As a result, your credentials are impossible to distinguish from characters, making them hard to steal.
Keys are stored in a wp-config.php file generated by WordPress. The wp-config.php file is a crucial configuration file for WordPress. It contains important settings, such as database connection details, and various other configuration options for your WordPress site.
There are four security keys in total: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY. Each security key has a corresponding
Security
Any hardcoded API Key is a potential secret reported by this detector. This is typically a PHP constant named AUTH_KEY or SECURE_AUTH_KEY.
In addition, WordPress uses other keys such as LOGGED_IN_KEY and NONCE_KEY to authenticate users.
Additional items to protect could be the related 'salt' properties: AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT and NONCE_SALT keys.
Never ever store wp-config.php files with hardcoded keys/salt values under version control. You may
Examples
define( 'DB_NAME', 'main' );
define( 'DB_USER', 'admin' );
define( 'DB_PASSWORD', 'admin' );
define( 'DB_HOST', 'localhost' );
/* Authentication Unique Keys and Salts. */
/* https://api.wordpress.org/secret-key/1.1/salt/ */
define('AUTH_KEY', 'MW1pxMctoyA(>M%0Vl 2(#o0|2$cB+K|.G$hB~4`Juw@]:(5;oVUl<<W3^e_R-fg');
define('SECURE_AUTH_KEY', 'Y>Y9.5Ch0-3cq|=vbus[IeF(OJ9yZ|SQ#:iG;NSa+GJmj _1Ed(cVZ7r#+JMlA,S');
define('LOGGED_IN_KEY', 'Q$:B]zZjN-AdT<>h7V1.vm+k^|}2wVZf]Xw#QEZ[-pSohv+Kj0W-Z|:|g$-+E8:8');
define('NONCE_KEY', '}Fi>>0a{> akEdJ1K3c}([(:x;K[)ZQ3F3cttcpd EFORd.%R|*|rdRs#-L-&)P1');
define('AUTH_SALT', 'j@cGIZJfObpPU);AZgYH5,ubbSlUp|ZnLZNlq|;tkFe5xc(=_0[LKbF71T.EE ~9');
define('SECURE_AUTH_SALT', 'Ed&1cr+{3T$a+{[8LP~i5-[|Z`x-V>;Di_C/E~UnSg{n[h#{D[-t>yIUZ8YqSu3t');
define('LOGGED_IN_SALT', 'of@~yp:v@SK;Y}hzUo4=bz9WmX&vEw5TO dD$<2djGcE+Qz,Sb9i:{+U<#eM-RmE');
define('NONCE_SALT', ':9URM*n56|I|Rf$|ud0cFJ<KAA<1h_w]A!/?])<q+!qK>+Lq&j9^-!{%%pW. ,Z=');
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require renewing the WordPress security keys.
Wordpress provides a secret key generator that will generate new random keys so you can paste them in the
wp-config.phpfile to be deployed, or better to a safer place, like environment variables or a secrets manager.// get secrets from environment variables define( 'DB_PASSWORD', getenv('DB_PASSWORD') ); define( 'AUTH_KEY', getenv('AUTH_KEY') ); // ... -
Remove the
wp-config.phpfrom the source code or committed configuration file. An alternative mechanism should be used to deploy this critical file to the target environment. Unless the secrets are NOT hardcoded, and are instead taken from a trusted source, NEVER put thewp-config.phpfile under version control. -
Check WordPress access logs to ensure that the secret was not used by unintended actors during the compromised period. There are many ways to do this, often using plugins like the WP Admin Audit.
-
(Optional) If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any hardcoded API keys in the leaked Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |