Wordpress Security

WordPress Security Keys & Salts – How To Generate & Change

WordPress Salt & Security Keys

WordPress security authentication or secret key or SALT keys, are the encrypted code that protects your login information.

Salt keys are cryptographic elements used to ‘hash‘ data in order to secure it. In fact, most serious platforms and systems use similar mechanisms to protect sensitive data. The process works by using the salt keys to encrypt your password when you save it in WordPress. This way, attackers can’t see your passwords in plaintext even if they somehow gain access to your database.

WordPress SALT keys form an almost unbreakable layer of defense. However, for preventive reasons, it is advisable to change WordPress salt keys periodically to provide more robustness to your website.

One way to improve your WordPress security is to change your SALT keys.

In this article, we will explain what are wordpress salts, their importance in overall site security & how to change WordPress SALT keys manually and with the help of plugins.

WordPress Salt Keys & Site Security

WordPress security is a major concern for the businesses and developers communities. 25% of the total website in the world are developed on WordPress platforms But attackers are always seen to taking benefit of various WordPress Security vulnerabilities.

In 2021, website owner and developers can not take the security of WordPress sites lightly because in the last two years huge numbers of attacks on WordPress website has been seen and result in losing businesses due to lack of knowledge of new security updates. Further in this post, we have shared a complete checklist to keep your WordPress secure.

A WordPress salt is a random combination of different letters, numbers, and characters that form a long, complex string.

WordPress salt keys are security keys that this CMS uses to authenticate user access, in order to give more protection to sessions and access credentials.

WordPress uses the SALT system to increase security and give greater flexibility to the operation.

When you access WordPress on the backend or administrator side, while you are performing the appropriate tasks, it is necessary to know that you are still connected. This could have been done with a PHP session control, but it is more secure and less cluttered if done with cookies.

To maintain the security of the cookies and to prevent that if they are stolen or hijacked they can be used to obtain the user’s password, the SALT keys are used, so that there are no easily decipherable elements in the cookies.

To better understand the role of cookies and how hackers use them to gain access to other users you must know about the WordPress XSS Attack – Exploit & Protection.

The latest version of WordPress uses four security keys, each with a corresponding salt that can enhance the security of your WordPress-powered website.

These are:

  1. AUTH_KEY can be used to make changes to the site. It helps you sign the authorization cookie for non-SSL.
  2. SECURE_AUTH_KEY is used to sign the authorization cookie for the SSL administrator and is used to make changes to the website.
  3. LOGGED_IN_KEY is used to create a cookie for a logged in user. It cannot be used to make changes to the site.
  4. NONCE_KEY is used to sign the nonce key. This key protects nonces from being generated, thus protecting your site from attacks.

You can find these authentication keys and salts in the wp-config.php file, located in the WordPress root folder.

Changing default passwords and salt passwords in WordPress on a regular basis is recommended to further strengthen the security of your website.

Where Are WordPress Salts Located?

The SALT is defined in each WordPress installation in the file wp-config.php.

As we already indicated in Installing WordPress on your lamp server, the first thing we should do is provide the security keys that our copy of WordPress will use.

These SALT keys or values must be unique for each installation.

You should see eight keys in total:

  • The first four entries are your security keys.
  • The last four entries are your WordPress salts.

Why You Need to Change Your WordPress Salts and Security Keys?

In any user or commenter session on your website, WordPress uses cookies, which are text files that contain unique information about each user in the browser, in order to verify their identity.

In the wp-config.php configuration file WordPress adds secret combinations of keys and salts to authenticate each access or login to your website. These keys and jumps improve the encryption of the password and make it almost impossible to break given the complexity of the random value of these keys.

In the aforementioned configurations file, you find predefined values ​​of keys and salts in various constants, depending on the type of task they perform within your website.

How Do WordPress Salts Work?

We recommend that they be changed, although it is not necessary to do it regularly, if from time to time. This ensures that even in the (difficult) case that someone can hijack your cookies, they will have fewer opportunities to figure out your passwords.

Security in WordPress is a primary factor for the development team, and it takes itself very seriously when adding any new features, and the user login and access aspect is no exception. Therefore WordPress includes unique keys in each new installation, in order to establish a unique value for each user.

Today we will show you how to change WordPress keys and salts to improve security and make it difficult for hackers to hack your wordpress site.

Here, you can also read the 21 Best WordPress Security Tips & Tricks 2021, to know about WordPress security tips from the experts.

How to change your WordPress salt and security keys?

There are two ways to change your salts and keys:

  • You can change it manually
  • You can use a plugin to change WordPress Salt (recommended)

Change WordPress Salts manually

To change WordPress keys and salts, you go to the wp-config.php file and find the lines that appear as in the image, and simply copy instead new values ​​that you get from the WordPress Salts API.

The keys are defined in the wp-config.php file, in the root directory of your installation. You must access that file through an FTP or SSH account (whatever your hosting service determines) and edit the file (it is a plain text file).

Then locate a block similar to this:

define ( 'AUTH_KEY' ,          '1jl / vqfs &; XhdXoAPz9 ... ... ... c_j {iwqD ^ <+ c9.k <J @ 4H' ) ;

define ( 'SECURE_AUTH_KEY' ,   'E2N-h2] Dcvp + aS / p7X ... ... ... {Ka (f; rv? Pxf}) CgLi-3' ) ;

define ( 'LOGGED_IN_KEY' ,     'W (50, {W ^, OPB% PB <... ... ... 2; and &&, 2m% 3] R6DUth [; 88' ) ;

define ( 'NONCE_KEY' ,         'll, 4UC) 7ua + 8 <! 4VM + ... ... ... # `DXF + [$ atzM7 or ^ -C7g' ) ;

define ( 'AUTH_SALT' ,         'koMrurzOA + | L_lG} kf ... ... ... 07VC * Lj * lD &&? 3w! BT # -' ) ;

define ( 'SECURE_AUTH_SALT' , 'p32 * p,] z% LZ + pAu: VY ... ... ... C-? y + K0DK_ + F | 0h {! _ xY' ) ;

define ( 'LOGGED_IN_SALT' ,    'i ^ / G2W7! -1H2OQ + t $ 3 ... ... ... t6 ** bRVFSD [Hi]) - qS` |' ) ;

define ( 'NONCE_SALT' ,        'Q6] U: K? j4L% Z]} h ^ q7 ... ... ... 1% ^ qUswWgn + 6 &&%' ) ;

Change the values ​​on the right (contained in single quotes ”).

You don’t need to change the entire character string, just add a character at the beginning or end, or in the middle of the string, the value of the key is completely different.

It is advisable to regenerate new keys and salts for your website from time to time, as if they were a password, from the WordPress salts API that it offers on its official page, and that generates a strong and random combination every time you refresh the page.

Changing the keys and salts of your WordPress site is a good practice to improve security and that makes it even more difficult for malicious people, who are stalking the most unsuspecting.

Now, we have explained how to change the WordPress salts keys manually in the wp-config.php file of the configuration, however, you are not comfortable with editing files manually, next we will explain how to do it automatically.

Change WordPress Salts Using a Plugin

However, manually modifying your keys can be more risky and time-consuming, as you have to manually modify the main file and download it using it. And if you don’t do it right, the process can even damage your website.

But, don’t worry, you can just use a plugin to change your WordPress salt keys without having to edit the eight Salt Keys variables in your site’s wp-config.php file.

Before making any such changes, we recommend creating a full backup of your website and database, to prevent any unpleasant events.

Updating your keys & salts will force all logged in users to log in again because changing them automatically invalidates the login of any user logged in to the site. For example, if you have any suspicions of a hack, updating your security keys and salts will force the logout and re-authentication of all logged in users.

You can further increase the security of WordPress by exploring 26 Best WordPress Security Plugins in 2021. The selection of plugins for the protection of WordPress is also important. The plugin, which has very frequent updates and less vulnerability should be the first choice.

iThemes Security

The current version of iThemes Security (Free v4.6 + or iThemes Security Pro v1.14 +) comes with a time-saving security feature that easily updates WordPress security keys and exits. It offers a monthly update reminder and eliminates the need to manually generate a new set of keys or edit your wp-config.php file.

To update keys and sales, go to the ‘WordPress sales’ section in the’ Advanced ‘tab, click on the checkbox next to’ Change WordPress sales’ and finally click on the ‘Change button ‘WordPress’ sales.

IThemes Security Pro offers additional features like two-factor authentication, scheduled malware scanning, and reCAPTCHA to detect malware and add an extra layer of security to your WordPress login pages.

Adding reCAPTCHA to WordPress site ensures that only humans can access your login pages, preventing automated bots from attempting to log in and causing damage. This feature can be particularly useful in preventing brute-force attacks, where bots repeatedly try to guess usernames and passwords until they gain access.

Salt Shaker plugin

The job of this plugin is to change the salt keys that you use now in the configuration file (wp-config.php) of your website and use new ones instead, in a more “clean” and automated way.

This plugin adds a section in Tools ≫ Salt Shaker where a configuration page appears, from which you can program the change of WordPress salt keys periodically, or change them at the same moment.

Be careful that, when you change the security keys and leave your WordPress, all the sessions of the connected users will automatically be closed, including yours, to access again.

We inform you that changing WordPress salt keys is not enough to protect your website completely, and it is necessary that you use one of the security plugins that solve other protection aspects.


To sum up, here are a few things to keep in mind when updating WordPress security keys and salts.

After launching your WordPress site, change the security keys and salts.

Always use the WordPress salt key generator to create security keys. Don’t do it yourself, get help from WordPress security experts. Alternatively, you can or automate the process using a WordPress plugin.

Updating WordPress security keys and salts will invalidate all existing cookies, causing all users to log out instantly. So when you change them, keep in mind that some users may be online.

If you see signs of an attack on your site, update the WordPress security keys and encourage your users to change their passwords.

We also recommend you see our WordPress security checklist guide that will give you a more panoramic and complete vision of how to protect your WordPress site.

We are inviting you to check your website in our Malware scanner tool. Our WordPress Malware scanner tool is capable to detect malicious code and vulnerabilities in WordPress Security. Our WordPress security advisor will fix all these issues and fill the loophole in WordPress security.

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)

Tags: WordPress Security Tips