Yogesh Chauhan's Blog

How to invalidate all existing cookies using Security Keys in WordPress?

in WordPress on December 27, 2021

What are Security Keys?

A secret key adds random elements to the password which makes it difficult for the attackers to hack your site.

As per WordPress documentation, a secret key is a “password with elements” that make it difficult to generate enough password options to break through your site’s security barriers.

For e.g. if you’ve set your password as “12345” or “qwerty”, it’s easily broken even with a few guesses, you might not even need a hacker’s mind or tools for that.

In contrast with that, if you use a random, lengthy password (which is now a requirement for many websites), such as ‘.xK0H)Yx;7ah)VDsAD.iRA$9I6y?-RU6L=SNP-U`V*-,J<i&gW+(pa0oqc0vDu2Z’, it’ll be a hell of a task for a hacker to crack the password and it’ll definitely requires hours and hours of brute force attack.

WordPress (and many other services) uses “salt” to enhance the security of the generated password even further.

WordPress recommends four salts for each four keys to further enhance the security but it’s not required to do so. WordPress will generate salts for your website if you don’t provide any. Those salts are included in wp-config.php by default.

Example of Four Security Keys


define('AUTH_KEY',         '.xK0H)Yx;7ah)VDsAD.iRA$9I6y?-RU6L=SNP-U`V*-,J<i&#038;gW+(pa0oqc0vDu2Z');
define('SECURE_AUTH_KEY',  '`)2K%L; -yzd 30e1hm1>l:!BJm618;s-HN<`{7nqEj*zH]6SV]qWD}MTdGH+iGy');
define('LOGGED_IN_KEY',    'hj#S5 >1obJqnCJh<y5lli3.>2WJt^jedCKM p<UY!ens**{XX44[+LJ#dvxa{fs');
define('NONCE_KEY',        'y==Rj;azw_[#!YNxC5-+M?dX`^(]c[de? VnY |I.%|6LMR:Jp^):-R3*+CexGUC');
define('AUTH_SALT',        '3TC`Ns:wRIYGR/jM$<>_)n?7{(oscdH?N}ry3_.tHj.$7L*A/{z8|ofunb2036;G');
define('SECURE_AUTH_SALT', 'G5(Mm}I3Cq<[|f^SNQd|em9+kXU##@$K}]_*=<YA&#038;M0u`58=KzE?E$K1v(w7q-,a');
define('LOGGED_IN_SALT',   'FL)3p%s_O|}FF9qC<&#038;;~U-Zl{fSweP--oWYWd?4G:)RqFkgZE*-}f|=g{A[2CGh+');
define('NONCE_SALT',       '.C`|@SFIKy_;4[|ia:xiIOd$IP>m[g1gRI%6(i=zB0}$xr#.?4{xuOf<ZVOcPG b');


DO NOT USE those keys from the example above. Instead, use this keys generator from WordPress.

How to invalidate all existing cookies?

When you change those keys from you wp-config.php file, you invalidate all existing cookies.

This means that all the current users of your website will be logged out and they’ll need to log in again.


Most Read

#1 How to check if radio button is checked or not using JavaScript? #2 How to add Read More Read Less Button using JavaScript? #3 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #4 How to uninstall Cocoapods from the Mac OS? #5 PHP Login System using PDO Part 1: Create User Registration Page #6 How to Use SQL MAX() Function with Dates?

Recently Posted

#Jan 17 4 advanced ways to search Colleague #Jan 16 Colleague UI Basics: The Search Area #Jan 16 Colleague UI Basics: The Context Area #Jan 16 Colleague UI Basics: Accessing the user interface #Jan 14 How to display a student’s individual transcript in Colleague? #Jan 11 How to install PuTTY on a MacOS?
You might also like these
Content Blocks in SCSS (Sass)SCSSHow to retrieve homepage URL in WordPress?WordPressVariables scope and shadowing in SCSS (Sass)SCSSWordPress: How to change a blog address (URL)?WordPressWhat is Etrieve Flow?MiscellaneousWhat’s the difference between a Framework and a Library?Miscellaneous