Site Kit stores OAuth credentials in the WordPress database. For security reasons, these credentials are encrypted. In order for encryption and decryption to work, Site Kit needs to have access to certain security constants, which need to remain unchanged and should not be altered regularly, preferably not at all.

By default, Site Kit relies on the LOGGED_IN_KEY and LOGGED_IN_SALT constants that are typically found in every wp-config.php file and usually work as expected. However, if you are using a plugin or other mechanism that regularly updates the values for these constants, you will run into problems with Site Kit as the values will no longer be able to be used to decrypt the Site Kit credentials that are stored in the database.

As a general best practice, but even more importantly to prevent problems like the above, it is recommended for users of Site Kit to specify two additional constants in their wp-config.php file: GOOGLESITEKIT_ENCRYPTION_KEY and GOOGLESITEKIT_ENCRYPTION_SALT. These keys can receive any combination of characters, preferably at least 32 characters. Once set, they should never be changed. An easy way to get to solid values for these constants is to copy some of the values from https://api.wordpress.org/secret-key/1.1/salt/ and use them. Eventually, you should have additional code like the following in your wp-config.php file:

define( 'GOOGLESITEKIT_ENCRYPTION_KEY', 'put your unique phrase here' );
define( 'GOOGLESITEKIT_ENCRYPTION_SALT', 'put your unique phrase here' );

If you are adding these constants after you have already configured Site Kit, you may run into issues since the plugin will use the new constants instead of the old ones. To avoid that, you can copy over the values from the LOGGED_IN_KEY and LOGGED_IN_SALT constants to the new GOOGLESITEKIT_ENCRYPTION_KEY and GOOGLESITEKIT_ENCRYPTION_SALT constants so that they do not change. If you prefer to use new values, you will need to reset the plugin and reconnect your account.

Note: Extreme care should always be taken when editing your wp-config.php file. Before editing this file, we strongly recommend generating a back-up copy of your full site as well as a copy of your wp-config.php file in the event that you need to undo any changes. If you’re unsure about how to do this, please speak with your web designer or technical contact.