Improved Security When Upgrading WordPress Not Automatic

One click WordPress upgrades are convenient. They fit right in with how I describe blogging platforms to the uninitiated: They make web publishing simple for people of modest technical means.

Some web hosts include the Fantastico module which also allows for one click upgrades of WordPress. I’ve used it many times. It is (usually) faster than upgrading manually.

However there is a serious shortcoming with the one click upgrades and it involves security.

Security Problem

The good folks at WordPress are very security conscious. They are continually improving the platform to make it more secure.

Trouble is some of the most important security enhancements are completely left out of one click upgrades. In fact, they may even be left out of manual upgrades.

The issue involves the wp-config.php file. This is the WordPress file that sets the login information to the data base that houses all of your blog’s information.

This file does not get updated automatically when WordPress is upgraded. In fact, the file isn’t included even when you download WordPress to upgrade manually. With good reason.The good folks at WordPress don’t want every upgrade to overwrite database passwords and lock folks out of their blogs.

Instead they include a different file name with generic info in it called wp-config-sample.php and this file gets overwritten every time WordPress is upgraded.

The problem is some of the biggest security upgrades involve modifications to the wp-config.php file, so they aren’t happening on a lot of WordPress blogs as they are upgraded.

Getting More Secure

In WordPress 2.5 they introduced the Secret_Key encryption. If you look at the wp-config-sample.php file you fill find the following inside:

// Change SECRET_KEY to a unique phrase.  You won’t have to remember it later,
// so make it long and complicated.  You can visit
// to get a secret key generated for you, or just make something up.
define(‘SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

And as you can see from the link above, the folks at WordPress did a good job of documenting what you need to do with this file to make your blog more secure.

How to Secure WordPress 2.6

However, starting with WordPress 2.6 they ditched the Secret_Key and added 3 other keys which means the wp-config.php file needs to be manually updated again. Here is the code from the latest WordPress version:

// Change each KEY to a different unique phrase.  You won’t have to remember the phrases later,
// so make them long and complicated.  You can visit
// to get keys generated for you, or just make something up.  Each key should have a different phrase.
define(‘AUTH_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

This code should replace the code listed above from WordPress 2.5. Each place you see ‘put your unique phrase here‘ you should replace it with a different long and random character string.

To make it easier on everyone, WordPress has set up a page which will generate random code suitable for replacing the three lines outright at this link:

For example I went there and it generated the following:

define(‘AUTH_KEY’, ‘IU/(x3pR(Ae6*PlhA=N6#/ =F^_;\\rpnX|9:|0}so-`zxqXoaV(y|0g~&V0%Kc^a’);
define(‘SECURE_AUTH_KEY’, ‘oiSMI<Ui*\’DCW *cSe5Y0Y_vGx ^G0su~q*8@73xBjWj=z6RZ;\\;mH,UmA@U |eW’);
define(‘LOGGED_IN_KEY’, ‘Cvk{(Dy/.zY:<g^@E)@+QA6qKXkv<oo]\\~VpEi;}+o5(g?@W[{@JNQAW9-v7T`zp’);

Now all you have to do is paste those 3 lines that are generated into your wp-config.php file. Obviously don’t use these phrases here. Go get your own so that they are randomly unique to your blog.

If You’ve Been Hacked

If your WordPress blog was hacked, say, because it hadn’t been updated in a while you are going to want to take some extra precautions.

For starters you obviously need to go through your blog and make sure all potentially malicious code has been removed. An easy way to double check you’ve got it all is to search your posts and pages for a snippet of the offending code.

Then, since you’ve been hacked you also need to change all passwords for any user profile that has access to change your blog content. If the user account’s role is higher than “Subscriber” change the password, especially on your own account!

That last step is crucial. In a lot of the hacking attacks on WordPress, the hackers are breaking in to older WordPress blogs and stealing the login usernames and passwords. Often they don’t do anything with the access they’ve gained until the blog owner upgrades the blog so that it appears like the newer version is vulnerable. runs on the Genesis Framework

affiliate program logo

The Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Whether you're a novice or advanced developer, Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go. It's that simple - start using Genesis now!

Check out these incredible features and wide selection of designs. There are so many to choose from they created this handy theme chooser to help you find the perfect theme for your needs. With automatic theme updates and world-class support included, Genesis is the smart choice for your WordPress website or blog.

Or you can even Become a StudioPress Affiliate yourself to start earning today!


  1. This writeup is just one more reason I count myself blessed to know you, Chris! It still gives me a case of the heebie-jeebies when I think about tinkering with WP, but I’m really glad there are folks like you that understand it.

    A tip o’ the Middle Zone hat to ya!

  2. As one of the WP users, I would say that you always need to put the first priority to the website security problem, as if you neglected it, then you’ll surely suffered with it in the end!

  3. You rock! I’ve bookmarked this and will follow your instructions!

  4. I’m with Robert and Seo Company, I don’t understand the first thing about this stuff, but glad there’s people like you that do.

  5. This is just way to technical for me, which is why I love the simpler, albeit much less robust, Tumblr for my blog.

  6. I’m so glad you posted this! I never thought about the fact that updates do not modify the config file.

Comment Policy: Your words are your own, so be nice and helpful if you can. Please, only use your real name and limit the number of links submitted in your comment. If in doubt, please take a moment to review our full Comment Policy before you click "Post Comment" so we don't mark your comment as spam.

Speak Your Mind