Yogesh Chauhan's Blog

How to invalidate all existing cookies using Security Keys in WordPress?

in WordPress on December 27, 2021

What are Security Keys?

A secret key adds random elements to the password which makes it difficult for the attackers to hack your site.

As per WordPress documentation, a secret key is a “password with elements” that make it difficult to generate enough password options to break through your site’s security barriers.

For e.g. if you’ve set your password as “12345” or “qwerty”, it’s easily broken even with a few guesses, you might not even need a hacker’s mind or tools for that.

In contrast with that, if you use a random, lengthy password (which is now a requirement for many websites), such as ‘.xK0H)Yx;7ah)VDsAD.iRA$9I6y?-RU6L=SNP-U`V*-,J<i&gW+(pa0oqc0vDu2Z’, it’ll be a hell of a task for a hacker to crack the password and it’ll definitely requires hours and hours of brute force attack.

WordPress (and many other services) uses “salt” to enhance the security of the generated password even further.

WordPress recommends four salts for each four keys to further enhance the security but it’s not required to do so. WordPress will generate salts for your website if you don’t provide any. Those salts are included in wp-config.php by default.

Example of Four Security Keys


define('AUTH_KEY',         '.xK0H)Yx;7ah)VDsAD.iRA$9I6y?-RU6L=SNP-U`V*-,J<i&#038;gW+(pa0oqc0vDu2Z');
define('SECURE_AUTH_KEY',  '`)2K%L; -yzd 30e1hm1>l:!BJm618;s-HN<`{7nqEj*zH]6SV]qWD}MTdGH+iGy');
define('LOGGED_IN_KEY',    'hj#S5 >1obJqnCJh<y5lli3.>2WJt^jedCKM p<UY!ens**{XX44[+LJ#dvxa{fs');
define('NONCE_KEY',        'y==Rj;azw_[#!YNxC5-+M?dX`^(]c[de? VnY |I.%|6LMR:Jp^):-R3*+CexGUC');
define('AUTH_SALT',        '3TC`Ns:wRIYGR/jM$<>_)n?7{(oscdH?N}ry3_.tHj.$7L*A/{z8|ofunb2036;G');
define('SECURE_AUTH_SALT', 'G5(Mm}I3Cq<[|f^SNQd|em9+kXU##@$K}]_*=<YA&#038;M0u`58=KzE?E$K1v(w7q-,a');
define('LOGGED_IN_SALT',   'FL)3p%s_O|}FF9qC<&#038;;~U-Zl{fSweP--oWYWd?4G:)RqFkgZE*-}f|=g{A[2CGh+');
define('NONCE_SALT',       '.C`|@SFIKy_;4[|ia:xiIOd$IP>m[g1gRI%6(i=zB0}$xr#.?4{xuOf<ZVOcPG b');

DO NOT USE those keys from the example above. Instead, use this keys generator from WordPress.

How to invalidate all existing cookies?

When you change those keys from you wp-config.php file, you invalidate all existing cookies.

This means that all the current users of your website will be logged out and they’ll need to log in again.









Most Read

#1 Solution to the error “Visual Studio Code can’t be opened because Apple cannot check it for malicious software” #2 How to add Read More Read Less Button using JavaScript? #3 How to check if radio button is checked or not using JavaScript? #4 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #5 PHP Login System using PDO Part 1: Create User Registration Page #6 How to uninstall Cocoapods from the Mac OS?

Recently Posted

#Apr 8 JSON.stringify() in JavaScript #Apr 7 Middleware in NextJS #Jan 17 4 advanced ways to search Colleague #Jan 16 Colleague UI Basics: The Search Area #Jan 16 Colleague UI Basics: The Context Area #Jan 16 Colleague UI Basics: Accessing the user interface
You might also like these
Crypto.getRandomValues() method in JavaScriptJavaScriptAND, OR and NOT boolean operators in Envision BasicEnvision BasicUse inline if to make a shorter conditional syntax in ReactReactHow to list all PHP variables to debug the script?PHPHow to create a simple digital clock using JavaScript?JavaScriptCustom Post Type Template Files in WordPressWordPress