Complete Guide to WordPress Salts and Security Keys

You must have noticed that WordPress stores your password so that you don’t have to type it out every time you want to log in?

It makes logging into your website a fast and easy experience.

But you might be wondering if the stored password can be stolen?

Unfortunately, the answer is yes. Stored passwords can be stolen.

When hackers get their hands on your password, they will use it to break into your site and wreak havoc. They can run all sorts of malicious activities like redirecting your visitors and stealing information from your website, sending spam email, storing files and folders on your website, even launching attacks on other WordPress sites.

But don’t worry, to ensure this doesn’t happen, WordPress protects your stored password with something known as WordPress salts & security keys. They encrypt your password so that if the password is stolen, hackers cannot read it.

In this guide, we’ll take a deep dive into how salts & keys work and how you can change them.

What Are WordPress Security Keys & Salts?

WordPress salts and security keys are a string of characters that look something like this-

‘,KE39}#KS5B{–!U2v]<_|]aRnAO7Jb1[8ktJvFWe L1!}]_7GA{t_!u[]$|Hm&*’);

Security keys and salts are automatically generated for your site when you install WordPress.

But why does a WordPress site need security keys and salts?

In the beginning, we had mentioned how you don’t need to enter your username and password every time you are trying to log in. This is because WordPress stores your credentials.

It sounds like a really great process but there are security concerns. Stored credentials can be stolen.

WordPress, however, offers a solution. It encrypts your password with security keys and salts and then stores it. So even if your password is stolen, hackers can’t decipher it.

However, there’s a catch here.

Through session hijacking and cookie stealing attacks, hackers can steal your salts and keys and decipher your password.

Therefore, it’s important to change your WordPress salt keys from time to time.

When to Change Your WordPress Salts & Security Keys?

Generally, changing salts and keys are post-hack security measures. If your website was recently hacked, you absolutely need to change your security keys and salts.


When your WordPress is hacked, one of the measures you take immediately after you find out is you change all your password immediately to ensure hackers don’t have access to your site.

However, unknown to you, hackers may have made a copy of your keys and salts. Even if you change your password, they can decipher it if the keys and salts remain the same.

Hence, if your website was hacked, one of the steps that you need to take to ensure that it’s not re-hacked is to change WordPress salts and keys.
You can check here is your website hacked.

How to Safely Change Your WordPress Salt and Security Keys?

There are two ways of changing your salts and keys.

  1. You can use a plugin (recommended)
  2. You can do it manually

1. Changing WordPress Salts & Keys Using a Plugin

We’ll demonstrate how to change salts and keys using two different plugins – MalCare and Salt Shaker.

Using MalCare

i. Sign up with MalCare.

ii. Open your MalCare account and go to the Security section. Click on Details then select Apply Hardening.


iii. Next, select the option Change Security Keys and click on Continue.


iv. Then you’ll need to enter your FTP credentials. If you don’t have it, then try finding it with the help of these videos or ask your hosting provider to provide it.

After you enter your FTP credentials, Security keys and salts will be changed.

Note that once your salt and keys are changed, all browser cookies saving your password will be invalidated. This means users will need to log in to access the dashboard.

Using Salt Shaker

i. Download and activate Salt Shaker on your WordPress website.

ii. On your website’s dashboard, go to Tools > Salt Shaker.

iii. In the Salt Shaker Setting page, you will find two options: Scheduled Change & Immediate Change.

You can use the ‘Scheduled Change’ option to automatically change the keys and salts on a daily, weekly, monthly, quarterly, and bi-annually basis. Many website owners prefer this option and schedule the changes as part of their security protocol.

If you wish to change WordPress salts and keys immediately, you need to click on the Change Now button that appears under the section Immediate Change.


2. Changing WordPress Salts & Keys Manually

CAUTION: The manual method is very risky as it involves making changes to a WordPress file called the wp-config file. It’s an extremely crucial file and helps your website function properly. Small mistakes when handling the file can lead to a broken website.

We strongly recommend using a WordPress plugin to change your keys and salts. It’s easier and much safer.

However, if you still want to go ahead with the manual method, then it’s important to take a complete website backup. In case your website breaks during this process, you can use the backup to quickly restore your site back to normal.

Once you have a backup, you can proceed with the manual method.

i. The first step is to generate new salts and keys by visiting this link –

ii. Next, you need to edit the wp-config file. Open your hosting account and go to cPanel. Next, select File Manager.


iii. In the new window, look for a folder named ‘public_html.’ The wp-config file is located inside this folder.


iv. Right-click on the folder and select Edit to open your wp-config file. Inside the file, there are many lines of codes. You need to find the lines that we show in the picture below –


These are your security keys and salts.

And you need to replace ONLY these lines of codes with the new salts and keys that we generated in step 1.

Copy the keys you generated in step 1. Return to the wp-config file, select these lines and paste the new ones to replace them.

Please be careful and ensure that you are not changing anything else on the wp-config file.

Remember to save the file before exiting.

With that, you have now changed your WordPress salts and security keys.

Final Thoughts

Changing your WordPress keys and salts on a regular basis is a precautionary measure to block hackers from accessing your site. But this is only one small step towards securing your WordPress website completely.

Besides stealing passwords, hackers have any techniques using which they can hack your website.

To protect your website from all types of dangers, you need a reliable WordPress security plugin like MalCare.

The plugin sets up a robust WordPress firewall that identifies hackers and prevents them from accessing your site. It also scans your site every day to ensure there’s no suspicious activity on your site. With MalCare monitoring your site, you can rest assured it is protected against hackers.

Try MalCare Security Plugin Right Now!

Sophia Lawrence,

Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap