Softaculous makes WordPress cloning almost too easy.
Click clone, choose a domain, wait a moment, done. New site. Same layout, same plugins, same content, same settings.
Perfect.
Except "same everything" does also include wp-config.php.
Inside wp-config.php, WordPress stores authentication keys and salts. These are used for login cookies, sessions, nonces, and other security checks. In simple terms: they help WordPress know that this site is this site.
And they should be unique for every WordPress installation.
When you clone a site with Softaculous, a staging tool, a backup plugin, or a migration plugin, the cloned site may still carry the same auth keys as the original.
Most of the time, nothing dramatic happens - until things get weird.
Users may be logged out unexpectedly. Nonces may fail. Object cache may behave strangely. One WordPress install may act like it had too much coffee.
This becomes more relevant when you use Redis, Memcached, APCu object cache, staging copies, template installs, or many WordPress sites on one machine. The more similar the cloned sites are, the more important clean separation becomes.
Check Your Auth KeysRotating the auth keys is a small step, but it gives each cloned WordPress install its own identity again.
The atec-Auth-Keys plugin by atec Plugins can do this for you.
It does one focused job: it randomizes the authentication keys and salts in wp-config.php. Open the plugin, click the button, done. The only requirement is that WordPress can write to the wp-config.php file.
Changing the keys will log users out. That is expected. It does not change posts, pages, users, plugins, themes, or settings.
It just tells WordPress:
"This is now a separate site. Please behave like one."
So after cloning a WordPress site with Softaculous, do not only check the domain, database, and permalinks.
Check the auth keys too.
Top comments (0)