Complete Guide to WordPress Salts and Security Keys


WordPress Salts

In articles about WordPress security, you may have come across WordPress salts or security keys, and wondered what those were. In a nutshell, they are random strings used by WordPress to encrypt your password. 

Passwords are one of the most important aspects of website security, so it is worth understanding how WordPress salt keys work and more importantly, how to change them when required. 

TL;DR: It is critical to change your site’s WordPress salts and security keys after cleaning hacked site. With MalCare, you can change security keys automatically along with the one-click hack cleanup. All users will be force logged out, and you have effectively taken care of an important post-cleanup step. That’s not all; MalCare is a fully fledged security plugin, which prevents hackers from breaking into your website by limiting login attempts, offering built-in brute force protection, and an advanced firewall.

What are WordPress salts?

WordPress salts or security keys are strings of random characters, used by WordPress to encrypt your username and password. The strings are used to hash your login credentials, which is a cryptographic term referring to the encryption process. The credentials become impossible to distinguish from the random characters, and therefore they cannot be stolen or used to log into your website. 

The terms WordPress salts and WordPress security keys are often used interchangeably, however they always refer to the same 8 strings. There are 4 security keys—AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY—and each security key has a corresponding salt. 

WordPress salts and security keys in the wp-config.php file

It is very important to keep WP salts secret, because of their role in protecting your login credentials. They are stored in the core WordPress file wp-config.php, in addition to database credentials, and shouldn’t be stored anywhere else at all.  

What WordPress salts are used for

WordPress salts are used to secure usernames and passwords that are stored in browser cookies. WordPress uses cookies to remember if you are logged into your website. For instance, if you are logged into your wp-admin, but close the browser tab by accident, WordPress doesn’t ask you to log in again. This is a convenient feature, and cookies are used by many websites to remember your preferences and actions.

However, cookies are vulnerable to attack, as we have seen with cookie stealing and hijacking sessions. Therefore, it is important to encrypt any sensitive information in them, so it cannot be used by hackers.

Why you need to change WordPress security keys and Salts

Since the WordPress security keys and salts are random strings, they can be considered to be strong and unique. However, there are still occasions when they may need to be changed. As we explained before, it is critical to keep these strings private. So if there is a chance they have been compromised, you need to change them immediately. 

If your WordPress site is hacked at any point in time, this is a good example of compromised salt keys. With malware, hackers have unauthorized access to the files of the website, including the wp-config.php file where the WP salts are stored. Thus, after cleaning out malware, it is important to change the salt keys, along with other post-hack recommendations. With MalCare, you can clean the malware, and auto-change the security keys in minutes from the same dashboard. 

It is also considered good practice to change the WordPress salt keys every so often, just like you would your passwords. Changing credentials makes it harder for hackers to break through your website’s security.

How to change WordPress salts (3 Ways)

There are a few ways to change WordPress salt keys on your website: use a plugin or do so manually. We recommend a security plugin, because it is just much easier and it does much more than change the salts. 

1. Use a security plugin 

The simplest way to update salts in WordPress is to use a security plugin with the feature, like MalCare. 

Change WordPress security keys using MalCare

To change the security keys with MalCare, all you need to do is: 

  1. Log into MalCare
  2. Go into the Security and Firewall section
  3. Under Security overview, click on Apply Hardening
  4. Scroll down to the Paranoid section, and select Change Security Keys
  5. Click on Apply
  6. You will need to enter your FTP credentials in the next screen
  7. Select the folder where WordPress is installed which is generally the public_html folder
  8. Click on Apply Fix

Any logged in users will be logged out of the website, but their passwords and usernames remain the same. 

Why we recommend MalCare

MalCare is a sophisticated WordPress security plugin for protecting your website. In addition to being able to easily change salts and security keys, it also has a deep website scanner, a malware cleaner and an advanced firewall. With MalCare, you can apply various WordPress hardening options, and changing the WordPress security keys is one of them.

MalCare Security Overview dashboard

Other security plugins that can be used to change WordPress salt keys

As alternatives to MalCare, you can also use either Sucuri or iThemes Security to change the WordPress security keys. 

To change security keys using Sucuri, do the following: 

  1. Go into Sucuri Security on the left navigation menu
  2. Navigate to Settings
  3. Select the Post-Hack tab
  4. Check the ‘I understand that this operation cannot be reverted.” box
  5. Click on Generate New Security Keys

With Sucuri, you can also schedule the keys to be updated automatically. 

Update security keys using Sucuri

To change security keys using iThemes, follow these steps: 

  1. Go to Security on the left navigation menu
  2. Click on Settings
  3. From the left pane of Settings, click on the Tools menu icon at the bottom
  4. Select Change WordPress Salts to expand the pane
  5. Click on Run
Change WordPress salt keys using iThemes

Note: We don’t recommend either one as good WordPress security plugins though, since Sucuri’s malware scanner doesn’t detect malware effectively; and iThemes is one of the worst security plugins we have ever seen. However, both can change WordPress security keys, so they made it into this list.

2. Use a dedicated plugin

If you choose not to install a security plugin, or you already have one without this feature, you can install the Salt Shaker plugin

Salt shaker plugin

After installation and activation, the salt shaker plugin will appear in the Tools menu of the left navigation bar. It has one screen with an option to change the WordPress salts immediately, or automatically on a schedule. That’s all there is to it. 

Salt shaker settings

We do not usually advocate for a one-trick pony for a plugin, especially if you can get the functionality as part of another plugin. However, the Salt Shaker plugin does perform its one trick well.

3. Change WordPress salts manually

It is entirely possible to change the WordPress security keys manually, but we typically advise against rummaging around in your website’s code. In this case, you would be editing the wp-config.php file, arguably one of the most important WordPress core files. So the risks are high, even though the task is relatively simple. 

In any case, to change the WordPress salts manually, you need to do the following: 

1. Get new values from the WordPress secret key generator. Please note: you will never need these keys for personal use, so do not save them anywhere. Also, it is inadvisable to try creating these strings on your own. 

WordPress secret key generator

2. Backup your website. This is a necessary precaution because you will be editing a core WordPress file manually, and therefore there is a chance that the site can break.

blogvault WordPress backup plugin

3. Edit the wp-config.php file. Here you have two options: one, you can download the file via FTP, edit and reupload the modified file; or two, use SSH to edit the file directly on the web server.

wp-config edit

4. Look for Authentication Unique Keys and Salts

wordpress authentication unique keys and salts

5. Replace the code there, and save your changes

Once you change the salt keys, all logged in users will be logged out of the website, and have to log back in again. Nothing happens to their credentials, and their passwords remain the same. 

Important: Don’t save the keys anywhere. You will not need them. 

How often to change WordPress salt keys

WordPress websites by default come with salts and security keys, so they don’t need to be installed. The only time changing the salts becomes critical is right after a hack. You should assume that if your website had malware, the keys were compromised. Knowing the cryptographic hash used on your website enables hackers to get it more easily. 

Other times you might consider changing the salts is when you first set up the website, or every six months or so. This just makes it harder for attackers to figure out your credentials, but it is not mandatory. 

Other things you can do to protect your user logins

We say this time and again, but password security is critical to the protection of your website. Apart from making sure the WordPress salts and security keys are updated and kept private, here are some other things you can do: 


WordPress salts help in protecting your login credentials from being readable by hackers, whilst still allowing cookies to keep you logged into your account. There are security benefits to keeping the WP salts updated regularly, but unless there is a hack, it isn’t critical. 

If you need any help, please reach out to us. We love to hear from you!


What are WordPress salts?

WordPress salts are long strings of random characters that are used by WordPress to secure the credentials of logged in users. Also known as security keys, salts are used to create cryptographic hashes of usernames and passwords for security purposes. 

Why are they called salts by WordPress?

A salt is a cryptographic term that refers to random data that is added to essential information before it gets encrypted. WordPress security keys and salts do exactly that with usernames and passwords, and therefore are called salts. 

Why should I change salt keys on WordPress?

You need to change the WordPress salts and security keys if your website had malware. Hackers would have had access to WordPress files, including the wp-config.php file where the salts are stored. If the hacker gained this information, they could crack any password used on your website. Therefore it is critical to change WP security keys and salts after a hack. 

How do I change the salt in WordPress?

There are 3 ways to change WordPress salt keys: 

  1. Use a security plugin with hardening features like MalCare
  2. Use Salt Shaker, a dedicated plugin to change WordPress salts
  3. Change the salts and security keys manually in the wp-config.php file



You may also like

WPMU DEV Review: Features, Pricing and Details
WPMU DEV Review: Features, Pricing and Details

In a world where time is money, you want tools that save you time, giving you room to make more money. When you manage multiple WordPress sites, your task list…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.