WordPress Salts & Keys: In December 2017, some 1.4 million WordPress login credentials were reportedly stolen. Shortly afterwards, a massive brute force attack was launched by a group of hackers on hundreds of thousands of websites. Of course, site owners swung into action and began resetting their login credentials. While it’s a good security practice to use unique usernames and strong passwords, there is so much you can do to guide your site users to follow safe login practices. Despite the measures you take to implement good login practices, leaving your site’s security to users is not a good idea. This is why WordPress uses a set of security keys or secret keys.

These keys are random variables used to improve the encryption of login information stored in the browser cookie. (A cookie is a small file stored in the browser when you visit a website. It contains a bit of information like the login credentials of the website that you signed in). Owing to security salts and keys, even if your login credentials are compromised, hackers will find it hard to read them.

What Are WordPress Security Keys & Salts?

To understand the exact functions of the security key and WordPress salts, let’s take an example. Say, you have a password like ‘test-password’ which is very simple and can easily be broken by a hacker. Keys are random variables added to your password. They help improve the encryption of login information stored in the cookie. Whenever you log in, your password is stored by your browser cookie so that you don’t have to sign in again and again. With the help of security keys, you can make the stored password harder to crack if hackers somehow manage to get their hands on it.

WordPress SALT is used to further enhance the security of the password. Keys and salts are both combined to create an encrypted password that is stored in your browser cookies.

You can find both WP salts and security keys in the wpconfig.php file. WordPress generates four security keys and salts in the wp-config.php file. After a fresh WordPress install, this is how the WordPress secret keys and salts look:

define(‘AUTH_KEY’, ‘put your unique phrase here’);

define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);

define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);

define(‘NONCE_KEY’, ‘put your unique phrase here’);

define(‘AUTH_SALT’, ‘put your unique phrase here’);

define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);

define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);

define(‘NONCE_SALT’, ‘put your unique phrase here’);

You need to generate security keys and WordPress salts and replace the ‘put your unique phrase here’ with random variables you just generated.

How to Generate Security Keys & WordPress Salts?

You can easily change WordPress security keys and salts. The WordPress Foundation provides a WordPress key generator that creates random values for secret keys and salts. Visit the following link: https://api.wordpress.org/secret-key/1.1/salt/.

Copy the values you get from the link and then paste it in your wp-config file.

Step 1: To access the wp-config.php, open your web host account and go cPanel. Select File Manager, and it’ll take you to a page that looks somewhat like this:

wordpress salts

Step 2: On the left-hand side, you can see the public_html folder where you’ll find the wp-config file.

wordpress salts

Step 3: Right click on the file and select Edit.

wordpress salts

Replace the ‘put your unique phrase here’ with the variables you just generated.

wordpress salts

And that’s it. That’s how you generate and insert unique keys and WordPress salts on your website.

What if I Don’t use the Security Keys & WordPress Salts?

Given the importance of WordPress security keys and salts, if you fail to generate security keys, then WordPress will generate its own salts and keys and store it in the database (in the ‘options’ table). Later if you decide to generate your own security keys and WP salts, WordPress will automatically replace the old keys and salts with the new values.

Why Manually Generate the Keys If WordPress Auto-Generates Them?

Generating keys and salts and storing them in the config file are generally considered a good security practice. Your browser cookie where your login credentials are stored is created by combining the password hash and security keys and WordPress salt. The password hash is stored in the database. Consider a situation where the hacker can access your database but not the config file. They’ll need access to both the database and the files to be able to gain admin access for your site.

Hence storing the secret keys in the config file helps strengthen the security of your site. That said, it is recommended that you also protect the wp-config.php that’ll further secure the secret keys and salts. You can achieve this by doing two things: move the location of the file and change permission to access.

How to Hide wp-config File?

All WordPress websites store the ‘wp-config’ file in the ‘public_html’ folder. It’s a common knowledge. If your site is a target, hackers know where to look for in order to modify your config file. To hide the file, you can move it out of the public_html folder.

Although changing the location of the file ensures that hackers can’t find it, some developers are reluctant to use this measures. Take a look at this discussion as it may help you make a decision. That said there are plenty of developers who think it’s a good idea to change the location of the wp-config file.

Here’s how you can hide the location of the wp-config.php file:

Step 1: To access the wp-config.php, open your web host account and go cPanel and select File Manager.

Step 2: On the left-hand side, there’s a public_html folder. In this folder, you’ll find the wp-config file. Right-click and select Move.

wordpress salt

This is the current location of the wp-config.php. It’s inside the public_html folder.

wordpress salt

To move it outside, replace /public_html with to /wp-config.php. The file will now be stored as /wp-config.php. And don’t worry WordPress will pick up the configuration from here.

wordpress salt

Secure the wp-config.php File

Another security measure that you can take is to restrict file permission. Set the file permissions to 600 so that only true owners can edit the wp-config file. To change the file permission of wp-config, select the file and then choose the option ‘Permission’.

You’ll find a checkbox in which check Read and Write under the column User. This will generate the 600 permission.

secure your WordPress site

With this permission, only users can read and write in the wp-config file.

After you save the permissions you changed, you need to include the following lines in the .htaccess file. This will prevent hackers from loading the wp-config file directly from the browser.

# protect wpconfig.php 

<files wp-config.php> 

  order allow,deny 

  deny from all 


What Happens if I Change the WordPress Security Keys & Salts Later?

It is safe to change the security keys and WordPress salts whenever you want. Generate a new set of keys and simply replace the existing values in the WordPress config file. When you save the new keys, all browser cookies are invalidated which mean all existing login sessions are discarded immediately. Anyone logged in will be immediately logged out. They’ll need to log in again to access the site. Changing your salt and keys will not affect the user passwords.

Do I Have to Remember WordPress Security Keys & Salts I Just Generated?

No, after placing the security keys and WordPress SALTS in the wp-config file, you don’t have to remember them. You can change these security keys whenever you want without having any major impact on your website.

How Changing WordPress Security Keys & Salts Help in Post-Hack Situations?

When a site is hacked, all your data is compromised. One of the first things you need to do is to change the security keys and WordPress salts. Changing your salt and unique keys will invalidate all logged in users. Meaning if a hacker is logged in, changing the password will immediately log him out and prevent him from gaining access to the site. This is because the hacker had managed to access your site by cracking the previous keys which is a time consuming and difficult procedure. When you change the salt and keys, the hacker might just be discouraged from infiltrating your site again.

It’s likely that anyone who went through the whole procedure of extracting your password and cracked will strike again. Hence you should implement a number of security measures such as using an SSL certificate, implementing two-factor authentication and HTTP authentication, changing database prefix, disabling editing of themes and plugins, preventing users from installing and updating themes and plugins, enforcing the use of FTP, changing security keys, hiding the ‘wp-config.php’ file, banning IP addresses, disabling XML-RPC, disabling PHP execution and directory browsing, setting up right file permissions, using firewall, etc.

Over to You

The WordPress salts and unique keys are significant in ensuring better security of your password and by extension your website. With this post, we hope we have managed to answer all your queries on WordPress security keys and salts.

If you are looking for a wholesome WordPress security measures then take a look at this massive blog post on “guide to WordPress security”.

Share via
Copy link