Security keys scan

The scan

This scan checks the security keys are properly set. These keys are long random strings that should not:

  • have a default value,
  • be saved in the database,
  • be stored 'as is' in any file.

The fix

SecuPress is going to delete the current values stored in the wp-config.php file or in the database, then create a « Must Use » plugin (a special plugin that cannot be deactivated). This plugin will dynamically generate these values. (This plugin was previously known as « Alicia ».)

What if the fix doesn't work ?

If SecuPress tells you wp-config.php or folder/wp-content/mu-plugins/ is not writeable:

  • Access your site via FTP and check the chmod for wp-config.php . It should read 0644 . If it doesn't, modify the permissions and try clicking the 'fix it' button again. If you don't know what 'chmod' is then do nothing and contact our support team.
  • Access your site via FTP and check the chmod for /wp-content/mu-plugins/ . It should read 0755 . If it doesn't, modify the permissions and try clicking the 'fix it' button again. If you don't know what 'chmod' is then do nothing and contact our support team.

If SecuPress tells you some keys could not be edited, it means a few things :

  1. the « Must Use » plugin responsible for creating the security keys has been properly created.
  2. These keys can be stored in the wp-config.php file (in the vast majority of cases) or in the database (less common) or potentially in any other file (very rare). In the latter case, SecuPress can't possibly know where the keys are stored, and thus cannot delete them. They are most likely stored in another « Must Use » plugin. If you know what you're doing, you can search for « AUTH_KEY » and delete the plugin or comment out the offending lines of code. But really, we recommend you get in touch with our support team. They likely know what's best to do.

SecuPress shows nothing but an error during the fix, which means it can't do it automatically. Here's what to do:

  1. Access your site via FTP,
  2. Edit the wp-config.php and delete the lines about Security Keys ((long strings of random characters).
  3. Navigate your FTP to /wp-content/mu-plugin/ (create this folder if it doesn't exist), then create a .php file with the name of your choice (except index.php) and add the code given in the link below.
  4. Relaunch the scanner.

New randomly generated keys: https://secupress.me/secupress-salt-keys/