Complete Guide to WordPress Salts and Security Keys

Several factors work together to secure your WordPress site, from strong passwords to a robust malware scanner. Among these elements are WordPress salts or security keys.

WordPress salts or security keys work to keep your site’s login secure. They are used to encrypt your password, adding an important layer to your site’s defenses.

TL;DR: WordPress salts are random strings that encrypt your login details and help secure your site. You must change these salts once you clean your site after a hack. Or you can change them regularly to maintain strong website protection. Using a plugin like MalCare is the easiest way to update WordPress salts, but you can also change them manually if needed.

What are WordPress salts?

WordPress salts and security keys are unique strings of random characters. These strings are used to hash your username and password, making them unintelligible to hackers. Even if your hashed credentials are stolen, they cannot be used to log into your site. The wp-config.php file, a critical part of the WordPress file structure, is where these salts are usually stored.

The terms “WordPress salts” and “WordPress security keys” are often used interchangeably. But they mean the same eight strings. The four security keys are AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY. Each security key has a corresponding salt. 

It is important to keep the WordPress salts secret because they protect your login information. While they are usually stored in the wp-config.php file, some hosts like Cloudways prefer keeping them in a separate wp-salt.php file. Regardless of which file they are stored in, they should not be kept anywhere else. This is also why some web hosts like Pantheon.io do not let you access or modify them.  

What are WordPress salts used for?

WordPress salts help secure usernames and passwords stored in browser cookies. WordPress uses cookies to remember if you’re logged into your site. For example, if you log into your wp-admin and accidentally close the browser, WordPress won’t ask you to log in again. This is a convenient feature, and many websites use cookies to remember your preferences and actions.

However, WordPress cookies are vulnerable because of cookie stealing attacks and session hijacking. That’s why it is important to encrypt sensitive information in cookies so hackers can’t misuse it.

When do you need to change WordPress salts?

WordPress security keys and salts are random strings, making them strong and unique. Still, there are times when you need to change them. It’s crucial to keep these strings private. Change WordPress salts immediately if you think they have been compromised.

For example, if your WordPress site gets hacked, the salts and security keys may be compromised. Hackers with malware can access your site’s files. This includes the wp-config.php or the wp-salt.php file where salts are stored. After removing malware, it’s important to change the salt keys, alongside other security measures. A security plugin like MalCare can clean malware and automatically change the security keys as part of its cleanup process.

It’s also a good habit to change WordPress salt keys regularly, just as you would with passwords. Doing so makes it harder for hackers to access your site.

How to change WordPress salts

There are a couple of ways to change WordPress salt keys on your site: use a plugin or do it manually. We recommend using a security plugin because it’s easier and offers more features than just changing the salts. 

1. Use a security plugin 

The simplest way to update salts in WordPress is to use a security plugin with the feature, like MalCare. 

To change the security keys with MalCare, all you need to do is: 

1. Go into the Security and Firewall section

2. Scroll down to the Login Protection section and click on Apply Hardening

3. Select Change Security Keys in the Paranoid section

4. Click on Continue

5. Enter your FTP credentials on the next screen

6. Select the folder where WordPress is installed

7. Click on Apply Fix

Note: Any logged-in users will be logged out of the website. But their passwords and usernames will remain the same. 

Why we recommend MalCare

MalCare is an advanced WordPress security plugin that helps protect your website. The ability to easily change salts and security keys is just one of its features. It also offers a deep website scanner, a malware cleaner, and an advanced firewall. MalCare also lets you apply various other WordPress hardening measures.

As alternatives to MalCare, you can also use either Sucuri or iThemes Security to change the WordPress security keys.

2. Use a dedicated plugin

If you decide not to use a security plugin, or if your current one lacks this feature, you can install the Salt Shaker plugin. 

After you install and activate it, the Salt Shaker plugin will appear in the Tools menu on the left. It offers a simple screen to change WordPress salts either immediately or automatically on a schedule.

We typically don’t recommend plugins with just one function, especially if you can find the feature in a more comprehensive plugin. But the Salt Shaker plugin does its job well, which is why it has made it to our list.

3. Change WordPress salts manually

You can manually change WordPress security keys. But we generally do not recommend digging into your site’s code. This process involves editing the wp-config.php or the wp-salt.php file, depending on your web host.

The wp-config.php file is one of the most important WordPress core files. So it is a high-risk task even if it may seem relatively straightforward.

Keep in mind that some web hosts restrict access to these files to prevent modifications. Before attempting to edit, check with your hosting provider.

To change WordPress salts manually, follow these steps:

1. Get new values from the WordPress secret key generator. Remember, you won’t need these keys for personal use, so don’t save them. Also, do not create these strings on your own.

2. Backup your website. Manually editing an important WordPress file runs the risk of breaking the site. So this step is important.

3. Edit the wp-config.php file (or the wp-salt.php file). You have two options to do this. The first option is to download the file via FTP, edit it, and upload it again. The second is to use SSH to edit the file directly on the server.

4. Locate the Authentication Unique Keys and Salts section.

5. Replace the code there with the new values and save your changes.

After changing the salt keys, all logged-in users will be logged out and they will need to log in again. Their credentials and passwords will stay the same though. Remember not to save the keys anywhere, as they aren’t needed for future use.

How often to change WordPress salt keys

WordPress sites come with salts and security keys by default, so there’s no need to install them. But you must change salts after removing malware from your site, as malware likely means the keys were compromised. If hackers know your site’s cryptographic hash, it’s easier for them to break in.

You might also change the salts when you first set up the site or every six months. Doing so makes it tougher for attackers to guess your credentials. However, this is not mandatory. 

Other methods to protect your user logins

We often face this question: Is WordPress secure? And we say this time and again, that password security is one of the vital ways to protect your website. Sometimes, all it needs to take down your site is one unsuspecting user who gives out their credentials.

Ensuring the WordPress salts and security keys are updated and kept private is one thing in this regard. But here are some more things you can do to secure your site and its logins: 

Final thoughts 

WordPress salts are crucial in securing your login credentials, making them unreadable to hackers while still allowing cookies to maintain your login status. Regularly updating these salts enhances your site’s security, making it tougher for attackers to access your information. Although frequent updates are beneficial, they become especially essential after a security breach.

FAQs

What are WordPress salts?

WordPress salts are long strings of random characters that are used by WordPress to secure the credentials of logged in users. Also known as security keys, salts are used to create cryptographic hashes of usernames and passwords for security purposes. 

Why are they called salts by WordPress?

A salt is a cryptographic term that refers to random data that is added to essential information before it gets encrypted. WordPress security keys and salts do exactly that with usernames and passwords, and therefore are called salts. 

Why should I change salt keys on WordPress?

You need to change the WordPress salts and security keys if your website had malware. Hackers would have had access to WordPress files, including the wp-config.php or the wp-salt.php file where the salts are stored. If the hacker gained this information, they could crack any password used on your website. Therefore it is critical to change WP security keys and salts after a hack. 

How do I change the salt in WordPress?

There are 3 ways to change WordPress salt keys: