WordPress Security Keys: How to Regenerate Them After a Hack

Join us for digital creativity inspiration on our blog!

regenerating WordPress security keys

When your WordPress site is hacked, it’s essential to take immediate action to secure it and prevent further access by malicious actors. One critical yet often overlooked step in hardening your WordPress security is regenerating your WordPress Security Keys (also known as Secret Keys or Authentication Keys). First, you’ll need to fix your hacked WordPress website. Once this is done, the next step is improving your website’s security by regenerating the WordPress security keys. Here’s how to do this:

What Are WordPress Security Keys?

WordPress Security Keys are a set of cryptographic variables that add a layer of encryption to the information stored in your WordPress cookies. These keys include:

  1. AUTH_KEY
  2. SECURE_AUTH_KEY
  3. LOGGED_IN_KEY
  4. NONCE_KEY
  5. AUTH_SALT
  6. SECURE_AUTH_SALT
  7. LOGGED_IN_SALT
  8. NONCE_SALT

Together, these keys and salts secure your site’s login credentials and session information, making it significantly harder for hackers to steal or manipulate sensitive data.

Learn About: Conducting a Website Security Audit

Why Regenerate WordPress Security Keys After a Hack?

When a hacker gains access to your WordPress website, they can potentially steal or manipulate session cookies, allowing them to stay logged in even after you’ve changed your passwords. Regenerating the security keys invalidates all active user sessions, effectively logging out all users, including the hacker, and securing your website from further unauthorised access.

Steps to Regenerate WordPress Security Keys

Here are the essential steps you need to take to regenerate the WordPress security keys after a website hack:

1. Backup Your WordPress Files and Database

Before making any changes, ensure you have a complete backup of your WordPress files and database. This will help you restore the site if anything goes wrong during the process.

2. Generate New Security Keys

WordPress provides an easy-to-use API for generating fresh security keys. Visit the official WordPress Secret Key Generator to generate a new set of keys. The page will display a unique set of keys and salts like the example below:

php
define('AUTH_KEY', 'your-unique-phrase');
define('SECURE_AUTH_KEY', 'your-unique-phrase');
define('LOGGED_IN_KEY', 'your-unique-phrase');
define('NONCE_KEY', 'your-unique-phrase');
define('AUTH_SALT', 'your-unique-phrase');
define('SECURE_AUTH_SALT', 'your-unique-phrase');
define('LOGGED_IN_SALT', 'your-unique-phrase');
define('NONCE_SALT', 'your-unique-phrase');

3. Edit the wp-config.php File

Access your WordPress installation via FTP, your hosting provider’s file manager, or SSH. Locate the wp-config.php file in the root directory of your WordPress site.

  1. Open the wp-config.php file in a text editor.
  2. Look for the section containing the existing security keys.
  3. Replace the old keys with the new ones you generated from the Secret Key Generator.

4. Save the Changes

Once you’ve replaced the keys, save the wp-config.php file. The changes will take effect immediately, logging out all users and invalidating all active sessions, including those of any potential hackers.

5. Test Your Site

Log back into your WordPress dashboard to ensure everything is working properly. If you encounter any issues, double-check for errors in the wp-config.php file or restore your backup if necessary.

Discover: Simplify Your Website Management With A WordPress Maintenance Plan

Additional Security Measures Post-Hack

Regenerating WordPress Security Keys is a crucial step, but it’s just one part of a broader security strategy. Here are some additional measures to reinforce your site’s security:

  1. Change All Passwords: Update passwords for all user accounts, the database, hosting, FTP, and any other associated services.
  2. Install a Web Application Firewall (WAF): Use security plugins like Wordfence or Sucuri to block malicious traffic and prevent brute-force attacks.
  3. Update Core Files, Plugins, and Themes: Ensure all WordPress core files, plugins, and themes are updated to the latest versions to patch any vulnerabilities.
  4. Set Proper File Permissions: Review and set restrictive file permissions for key files like wp-config.php and .htaccess to prevent unauthorised modifications.
  5. Disable File Editing: Add the following line to your wp-config.php file to disable the file editor in WordPress, preventing unauthorised code changes:
    PHP
    define('DISALLOW_FILE_EDIT', true);

Learn More: How to Scan Your Site for Malware

Conclusion

Regenerating your WordPress Security Keys is a simple yet powerful way to secure your site after a hack. By invalidating all active sessions, you ensure that any intruders are immediately logged out. Combined with other essential security practices—such as updating your site, using a WAF, and monitoring activity logs—you can significantly strengthen your WordPress site’s security. Regular maintenance and proactive measures are key to keeping your WordPress installation safe from future threats. Stay vigilant, update regularly, and prioritise security to protect your site from further compromise.

Leave a Reply

Your email address will not be published. Required fields are marked *