Complete Guide to WordPress Salts and Security Keys
In articles about WordPress security, you may have come across WordPress salts or security keys, and wondered what those were. In a nutshell, they are random strings used by WordPress to encrypt your password.
Passwords are one of the most important aspects of website security, so it is worth understanding how WordPress salt keys work and more importantly, how to change them when required.
TL;DR: Change your site’s WordPress salts and security keys in seconds with MalCare. MalCare protects hackers from breaking into your website by limiting login attempts, offering built-in brute force protection, and an advanced firewall. It is hands-off security for everyone so you can concentrate on other aspects of building your website.
What are WordPress salts?
WordPress salts or security keys are strings of random characters, used by WordPress to encrypt your username and password. The strings are used to hash your login credentials, which is a cryptographic term referring to the encryption process. The credentials become impossible to distinguish from the random characters, and therefore they cannot be stolen or used to log into your website.
The terms WordPress salts and WordPress security keys are often used interchangeably, however they always refer to the same 8 strings. There are 4 security keys—AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY—and each security key has a corresponding salt.
It is very important to keep WP salts secret, because of their role in protecting your login credentials. They are stored in the core WordPress file wp-config.php, in addition to database credentials, and shouldn’t be stored anywhere else at all.
What WordPress salts are used for
However, cookies are vulnerable to attack, as we have seen with cookie stealing and hijacking sessions. Therefore, it is important to encrypt any sensitive information in them, so it cannot be used by hackers.
Why you need to change WordPress security keys and Salts
Since the WordPress security keys and salts are random strings, they can be considered to be strong and unique. However, there are still occasions when they may need to be changed. As we explained before, it is critical to keep these strings private. So if there is a chance they have been compromised, you need to change them immediately.
If your WordPress site is hacked at any point in time, this is a good example of compromised salt keys. With malware, hackers have unauthorized access to the files of the website, including the wp-config.php file where the WP salts are stored. Thus, after cleaning out malware, it is important to change the salt keys, along with other post-hack recommendations. With MalCare, you can clean the malware, and change the security keys in minutes from the same dashboard.
It is also considered good practice to change the WordPress salt keys every so often, just like you would your passwords. Changing credentials makes it harder for hackers to break through your website’s security.
How to change WordPress salts (3 Ways)
There are a few ways to change WordPress salt keys on your website: use a plugin or do so manually. We recommend a security plugin, because it is just much easier and it does much more than change the salts.
1. Use a security plugin
The simplest way to update salts in WordPress is to use a security plugin with the feature, like MalCare.
To change the security keys with MalCare, all you need to do is:
- Log into MalCare
- Go into the Security and Firewall section
- Under Security overview, click on Apply Hardening
- Scroll down to the Paranoid section, and select Change Security Keys
- Click on Apply
- You will need to enter your FTP credentials in the next screen
- Select the folder where WordPress is installed which is generally the public_html folder
- Click on Apply Fix
Any logged in users will be logged out of the website, but their passwords and usernames remain the same.
Why we recommend MalCare
MalCare is a sophisticated WordPress security plugin for protecting your website. In addition to being able to easily change salts and security keys, it also has a deep website scanner, a malware cleaner and an advanced firewall. With MalCare, you can apply various WordPress hardening options, and changing the WordPress security keys is one of them.
Other security plugins that can be used to change WordPress salt keys
As alternatives to MalCare, you can also use either Sucuri or iThemes Security to change the WordPress security keys.
To change security keys using Sucuri, do the following:
- Go into Sucuri Security on the left navigation menu
- Navigate to Settings
- Select the Post-Hack tab
- Check the ‘I understand that this operation cannot be reverted.” box
- Click on Generate New Security Keys
With Sucuri, you can also schedule the keys to be updated automatically.
To change security keys using iThemes, follow these steps:
- Go to Security on the left navigation menu
- Click on Settings
- From the left pane of Settings, click on the Tools menu icon at the bottom
- Select Change WordPress Salts to expand the pane
- Click on Run
Note: We don’t recommend either one as security plugins though, since Sucuri’s malware scanner doesn’t detect malware effectively; and iThemes is one of the worst security plugins we have ever seen. However, both can change WordPress security keys, so they made it into this list.
2. Use a dedicated plugin
If you choose not to install a security plugin, or you already have one without this feature, you can install the Salt Shaker plugin.
After installation and activation, the salt shaker plugin will appear in the Tools menu of the left navigation bar. It has one screen with an option to change the WordPress salts immediately, or automatically on a schedule. That’s all there is to it.
We do not usually advocate for a one-trick pony for a plugin, especially if you can get the functionality as part of another plugin. However, the Salt Shaker plugin does perform its one trick well.
3. Change WordPress salts manually
It is entirely possible to change the WordPress security keys manually, but we typically advise against rummaging around in your website’s code. In this case, you would be editing the wp-config.php file, arguably one of the most important WordPress core files. So the risks are high, even though the task is relatively simple.
In any case, to change the WordPress salts manually, you need to do the following:
1. Get new values from the WordPress secret key generator. Please note: you will never need these keys for personal use, so do not save them anywhere. Also, it is inadvisable to try creating these strings on your own.
2. Backup your website. This is a necessary precaution because you will be editing a core WordPress file manually, and therefore there is a chance that the site can break.
3. Edit the wp-config.php file. Here you have two options: one, you can download the file via FTP, edit and reupload the modified file; or two, use SSH to edit the file directly on the web server.
4. Look for Authentication Unique Keys and Salts
5. Replace the code there, and save your changes
Once you change the salt keys, all logged in users will be logged out of the website, and have to log back in again. Nothing happens to their credentials, and their passwords remain the same.
Important: Don’t save the keys anywhere. You will not need them.
How often to change WordPress salt keys
WordPress websites by default come with salts and security keys, so they don’t need to be installed. The only time changing the salts becomes critical is right after a hack. You should assume that if your website had malware, the keys were compromised. Knowing the cryptographic hash used on your website enables hackers to get it more easily.
Other times you might consider changing the salts is when you first set up the website, or every six months or so. This just makes it harder for attackers to figure out your credentials, but it is not mandatory.
Other things you can do to protect your user logins
We say this time and again, but password security is critical to the protection of your website. Apart from making sure the WordPress salts and security keys are updated and kept private, here are some other things you can do:
- Get brute force protection
- Enforce strong passwords
- Require unique passwords
- Require passwords not discovered in a data breach
- Use two-factor authentication
- Limit login attempts
- Disable XML-RPC
WordPress salts help in protecting your login credentials from being readable by hackers, whilst still allowing cookies to keep you logged into your account. There are security benefits to keeping the WP salts updated regularly, but unless there is a hack, it isn’t critical.
If you need any help, please reach out to us. We love to hear from you!
What are WordPress salts?
WordPress salts are long strings of random characters that are used by WordPress to secure the credentials of logged in users. Also known as security keys, salts are used to create cryptographic hashes of usernames and passwords for security purposes.
Why are they called salts by WordPress?
A salt is a cryptographic term that refers to random data that is added to essential information before it gets encrypted. WordPress security keys and salts do exactly that with usernames and passwords, and therefore are called salts.
Why should I change salt keys on WordPress?
You need to change the WordPress salts and security keys if your website had malware. Hackers would have had access to WordPress files, including the wp-config.php file where the salts are stored. If the hacker gained this information, they could crack any password used on your website. Therefore it is critical to change WP security keys and salts after a hack.
How do I change the salt in WordPress?
There are 3 ways to change WordPress salt keys:
- Use a security plugin with hardening features like MalCare
- Use Salt Shaker, a dedicated plugin to change WordPress salts
- Change the salts and security keys manually in the wp-config.php file
Karishma was an engineer in a former life, and so she specialises in making tech more accessible through communication. When she isn't writing, Karishma spends her time tinkering in the innards of WordPress websites