Several people have recently come to me asking for help identifying and remediating hacks against their wordpress blogs. Many of the online tutorials fail to address attackers who try to maintain persistence by changing user passwords and remaining logged in to wordpress. Even if you reset the password the attacker can still make changes because their cookies are still valid. By default, WordPress allows users to remain logged in for 48 hours or 14 days if you check the “Remember Me” box.

Since version 2.6 of WordPress they have added security keys to ensure better encryption of information stored in cookies. If you change these keys then the previously existing cookies will no longer be valid and the attacker who is logged in will no longer have access. WordPress offers an key genereator which will randomly generate new keys for you or you could just make random changes to the existing keys. Please note that this will invalidate all existing cookies and all users will have to login again.

Here is an example of the section in wp-config.php that you will need to edit.

Okay, so to sum things up.

Happy WordPress blogging!