Weak WordPress security key
Description
WordPress uses four security keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY) defined in the wp-config.php configuration file to strengthen the encryption of session data stored in user cookies. These keys should contain cryptographically random values to ensure secure cookie generation and validation.
This vulnerability indicates that one or more of these security keys contains a weak or predictable value that matches entries in common wordlists or dictionaries. Using weak security keys significantly reduces the cryptographic strength of WordPress's cookie-based authentication mechanism.
Remediation
Replace all weak WordPress security keys with cryptographically strong random values immediately:
Step 1: Generate new security keys by visiting the official WordPress Salt Generator at https://api.wordpress.org/secret-key/1.1/salt/
Step 2: Locate and open the wp-config.php file in your WordPress installation root directory
Step 3: Replace the existing security key definitions with the newly generated values. The section should look similar to this:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
Step 4: Save the file and upload it to your server, replacing the existing wp-config.php
Note: Changing these keys will invalidate all existing user sessions, requiring all users to log in again. Plan this change during a maintenance window and notify users accordingly.