Well, AUTH_KEY and it´s brothers where introduced in WordPress 2.6 to improve safety for logged in users. They are used to encrypt and validate the information in your backend login cookie.
While revealing the AUTH_KEY alone might not be a real security issue, you should nevertheless not output/use this anywhere to give less surface for attacks.
Furthermore I don´t see why you would use the AUTH_KEY to prepare a folder/download link. I think it would be much better to use something like time() to generate folder names if you want randomness or uniqueness or whatever without compromising the security of the system.
Update: I opened a thread in the plugins support area. Let´s see if the author responds to it.
Related Posts:
- Unwanted Links and Spam WordPress Pages and Posts
- I found this in a plugin. What does it do? is it dangerous?
- Disabled plugins are they security holes – rumor or reality?
- What could a hacker do with my wp-config.php
- How Can I Securely Implement a Password-less Login Feature?
- Security and .htaccess
- Are there procedures to prevent malicious plugin updates?
- Should we use plugins that aren’t available from the official WordPress site?
- Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
- Where should my plugin POST to?
- Security error WP 4.0 + WP phpBB Bridge [closed]
- Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
- Disabled plugins are security holes – rumor or reality?
- Should I use RIPS tool to test my themes and plugins?
- Author Specific URL’s in WordPress
- While Using Static Pages, How Can I Get /blog into the URL of Each Post?
- Prevent Brute Force Attack
- Upgrading WordPress 4.0 asks for FTP password
- I need to generate the CSS for my plugin from a function, how do i map a request to a function in the front-end?
- How Restrict access to admin dashboard by specific static ip?
- When is it useful to use wp_verify_nonce
- Protecting against malicious code in WordPress plugin updates
- How can I pass a variable to a page with a SEF url?
- custom taxonomy and custom post type url conflict
- rms_unique_wp_mu_pl_fl_nm.php
- Weird problems after recovery from security breach
- How can we deal with unmaintained plugins with vulnerabilities?
- Security issues with WP sites
- Escape when echoed
- Preventing BFA in WordPress without using a plugin
- Best way to hook a custom url?
- How can I make uploaded images in the editor load with HTTPS?
- Changed permalink structure. Need help with redirecting old posts
- How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
- WordPress filter that hook after each action/filter hook
- The safest way to automate WordPress backups
- wp_create_nonce function doesn’t work inside a plugin?
- How can I change a plugin’s URL?
- Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
- Nonce failing on form submission
- Why can’t I access my Intranet LDAPS with NADI?
- WordPress shows error related to allow_url_fopen
- Ability to automatically redirect a URL
- Stop Plugin Enumeration [closed]
- URL parameters causing 404 on home page, but nowhere else
- Hack-Proof OR Security in WordPress — is it real?
- Redirect to another page using contact form 7? [closed]
- Security and Must Use Plugins
- Is Timthumb still broken? What security measures should be taken?
- Is it safe to use admin-ajax.php in the frontend?
- How to protect WordPress from security scanner [closed]
- Specific way to allow WordPress users to view their current password? And edit it?
- How to prevent plugins from sniffing/stealing other plugins’ options?
- How to deal with Slow HTTP POST (slowloris) vulnerability
- Running multiple security plugins
- Need to change link URL embedded in multiple posts to new link URL
- how to replace hostnames on certain external links?
- How to rewrite URL and get the values?
- How to access the WordPress DB from a plugin file
- If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
- WP Insert Post If user refreshes override new post
- 404 errors when updating options in admin dashboard
- Website Captcha Error: The reCAPTCHA wasn’t entered correctly
- WordPress search shows protected content
- How to hide particular plain text with link from different subscribers
- Can I disable xml-rpc by setting it to false?
- Help to Create a Simple Plugin to make a post
- Add a parameter at the end of the url and prettify
- Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
- insert og image link in wordpress post
- How to generate expiring URL of the page?
- Having multiple URL structure for wordpress blog
- “Fire Secure” menu item
- Some resources of my website are pointing to www.mysite.com/dev/ and trying to get rid of that append has been a headache
- How do you remove question mark in URL in get method?
- https rewrite not working for All in one security Brute force > rename login url
- WordPress drop domain alias
- URL Case Sensitivity (Unbounce Landing Pages)
- Infinite 301 redirects after definitions in “Redirections” plugin?
- Redux framework somehow added to my site, can’t locate in plugins
- Using permalinks with parameters
- wp_verify_nonce fails always
- Validating values using Settings API?
- How To Rewrite WordPress Pages URL Only?
- using .htaccess only for wordpress security no plugins
- How can I process all requests for a given directory in a URL with my plugin?
- Why links are not linked if edited comment?
- Problem with permissions in wp-content/plugins
- My WP site and password was hacked, what to do? [closed]
- map urls to plugins
- How to resolve these findings from security audit
- Fetching Video From YouTube Automatically [closed]
- How I can hide my wp folders from Inspect Element (Developer Tools)
- How to Find WordPress site has backdoor login Codes
- How to create a custom wordpress plugin for a specific functionality?
- How to rename files during upload to a random string?
- Is it a good idea to restrict the REST API
- WordPress.Security.NonceVerification.Recommended
- How to Handle? vp_page Parameter in WordPress and Resolve Google Search Console Validation Issues?
- Trying to Find the PHP File/Function that Handles a Specific Form Action URL