Security in WordPress cookies

Last Revised: October 2, 2021

Storing secure information to know who is browsing your WordPress is important and that is why it is also important to know where and how the information is stored (and that it is secure). To do this, in a simple Installation of WordPress, we will specifically define where the cookies will be stored so that they are not so easily accessible.

Configuration

Hash (COOKIEHASH)

This constant uniquely indicates your site. The following function typically runs if it is not configured in the [wp-config.php].

if ( !defined( 'COOKIEHASH' ) ) {
  $siteurl = get_site_option( 'siteurl' );
  if ( $siteurl )
    define( 'COOKIEHASH', md5( $siteurl ) );
  else
    define( 'COOKIEHASH', '' );
}

This means that as a general rule we will find an MD5 of our URL. If we want to make it more secure, it is best to complicate the identifier.

define( 'COOKIEHASH', 'qLk9K5wdF4SwcwbMRNWP3kwscBJqcWtYmTvA' );

NOTE: Change the strange code to one generated on this site.

These cookies are generated based on the previous cookie, so in principle you do not have to configure it at all. Its format is as follows:

if ( !defined('USER_COOKIE') )
  define('USER_COOKIE', 'wordpressuser_' . COOKIEHASH);
if ( !defined('PASS_COOKIE') )
  define('PASS_COOKIE', 'wordpresspass_' . COOKIEHASH);
if ( !defined('AUTH_COOKIE') )
  define('AUTH_COOKIE', 'wordpress_' . COOKIEHASH);
if ( !defined('SECURE_AUTH_COOKIE') )
  define('SECURE_AUTH_COOKIE', 'wordpress_sec_' . COOKIEHASH);
if ( !defined('LOGGED_IN_COOKIE') )
  define('LOGGED_IN_COOKIE', 'wordpress_logged_in_' . COOKIEHASH);

This cookie, as the name suggests, is a test cookie, to verify that there is WordPress. It is another of the cookies that do not require configuration, since they are generated automatically.

if ( !defined('TEST_COOKIE') )
  define('TEST_COOKIE', 'wordpress_test_cookie');

Path

Path (COOKIEPATH)

In this cookie we will indicate the “path” from which the cookies are applied. If for example you have your site hosted in the root folder of the domain (https://www.wpdanger.com/) the path would be “/”, but if it is in a folder (https://www.wpdanger.com/blog/), it would be that of the folder, “/blog/”;

if ( !defined('COOKIEPATH') )
  define('COOKIEPATH', preg_replace('|https?://[^/]+|i', '', get_option('home') . '/' ) );

In this way, if you want to apply it manually, you can do it with the following constant:

define('COOKIEPATH', '/inicio/');

Site Path (SITECOOKIEPATH)

This case is similar to the previous one, although more specific to where the folder of the [/wp-admin/] is located. In this way, we would put the URL in front of the administration panel.

if ( !defined('SITECOOKIEPATH') )
  define('SITECOOKIEPATH', preg_replace('|https?://[^/]+|i', '', get_option('siteurl') . '/' ) );

In this way, if you want to apply it manually, you can do it with the following constant:

define('SITECOOKIEPATH', '/');

Starting from the previous point, we will have in which direction the administration panel is saved. This way if you change your panel address you should change it here as well.

if ( !defined('ADMIN_COOKIE_PATH') )
  define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . 'wp-admin' );

By default, it would be this:

define( 'ADMIN_COOKIE_PATH', '/wp-admin' );

As in the previous case, if you change the folder where to store cookies, you must also change the folder of your plugins…

if ( !defined('PLUGINS_COOKIE_PATH') )
   define( 'PLUGINS_COOKIE_PATH', preg_replace('|https?://[^/]+|i', '', WP_PLUGIN_URL)  );

By default, it would be this:

define( 'PLUGINS_COOKIE_PATH', '/wp-content/plugins' );

Hostname

This default cookie is blank, although you can force it. It’s basically about which domain (or rather, hostname) you want to load cookies.

if ( !defined('COOKIE_DOMAIN') )
   define('COOKIE_DOMAIN', false);

By default you can omit it or for example put your domain:

define('COOKIE_DOMAIN', 'www.wpsysadmin.com');

With this, the cookies will be established in the corresponding main domain and will later be saved by folders according to who needs them. Users of the admin panel will only have their cookies available when they are in the dashboard. The plugins will only have access to their cookies…

A special case is of those installations with WordPress MultiSite that, in that case, due to the possibility of having several hostnames, it is better for the system to configure everything automatically; it is best not to include any of these lines of code or leave their contents empty and be automatically managed by the system.

In WordPress Multisite you will only find the constants COOKIEPATH, SITECOOKIEPATH, ADMIN_COOKIE_PATH and COOKIE_DOMAIN.


Seguir con Seguridad para WordPress


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.