Securing wp-config.php

For the past week or so, our server admin, Matt Critcher, and I have been battling the “pharma-hack” in several WordPress installations, this website included. Long story short, we still haven’t been able to completely eradicate this exploit but I feel like we are getting a lot closer. This afternoon Matt advised that I go through some of our exploited sites and secure the wp-config.php files by adding security keys to them. There is even a generator on the WordPress.org website that you can use to generate these keys…

The process is simple, just generate a new set of security keys and place them inside your existing wp-config.php file. The generated keys will look something like this:

<pre>define('AUTH_KEY',         't`DK%X:&gt;xy|e-Z(BXb/f(Ur`8#~Uz|');
define('SECURE_AUTH_KEY',  'D&amp;ovlU#|CvJ##uNq}bel+^MFtT&amp;.bj');
define('LOGGED_IN_KEY',    'MGKi8Br(&amp;{H*~&amp;0s;{fer[hOBk!ry^');
define('NONCE_KEY',        'FIsAsXJKL5ZlQo)iD-pt?aNwI|siOe');
define('AUTH_SALT',        '7T-!^i!0,w)L#JK@pcD;Vcy8,S)-&amp;G');
define('SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u=|n#=]@]c #');
define('LOGGED_IN_SALT',   'w&lt;$4c$Hmd%/*]`}qG(GaVDEsn,~*4i');
define('NONCE_SALT',       'a|#h{c5|P &amp;xp]t=]V&lt;`}.py(wTP%%');

What this will do is invalidate any existing cookies that might be out there. It’s obviously not the complete fix for the “pharma-hack” that I have been looking for but it only takes a second and could save you some potential heartache down the road from other exploits.