Ultimate Guide to WordPress Salts and Security Keys

By WP Saviour •  Updated: 09/22/20 •  7 min read

WordPress is among the most high-profile and in style content material administration programs on this planet. Consequently, WordPress is a frequent goal of safety exploits, reminiscent of brute drive assaults, SQL injection, malware, cross-site scripting, and DDoS assaults. In actual fact, just lately, a brand new malware pressure referred to as Clipsa is launching brute drive assaults in WordPress websites, stealing cryptocurrency through clipboard hijacking.

WordPress is just as safe as the quantity of effort you set in to enhance your web site’s safety. As a web site proprietor, it’s your accountability to remain vigilant and implement a proactive safety technique to stop malicious assaults. Use of weak passwords and usernames, failure to replace WordPress core and plugins, and poor high quality internet hosting are among the many frequent safety errors web site homeowners make, giving quick access to malicious hackers.

WordPress is a extremely safe CMS in its personal manner. Nevertheless, holding your WordPress-powered web site secure from cybercriminals requires you to enhance your safety posture and enhance your on-line credibility. Easy steps like updating the WordPress core, selecting a safe WordPress internet hosting supplier, listening to area title safety, and utilizing a safe password might help block malicious bots and attackers.

On this put up, we are going to give attention to WordPress salts and safety keys and their function in guaranteeing that you simply don’t should take care of the fallout of malware assaults.

What Are WordPress Safety Keys and Salts?

When a consumer logs in to WordPress web site, quite a few cookies are created on the pc. These are used to confirm the id of the logged-in customers. If a hacker will get into your database or finds your cookies, they are able to learn your password, thereby making your web site susceptible to assaults.

WordPress makes use of safety keys and salts to provide you a cryptic output that’s saved within the database or cookie, including a layer of safety to your web site.

Two of those cookies are:

The authentication particulars saved in these cookies by WordPress are hashed (assigned cryptic values) utilizing the random patterns that are specified within the WordPress safety keys.


WordPress Safety Key is a password containing a random, lengthy, and complex set of variables that enhance encryption, making it virtually inconceivable to crack your password. The newest model of WordPress makes use of 4 safety keys, every having a corresponding salt that may enhance the safety of your WordPress-powered web site.

These are:

  1. AUTH_KEY can be utilized to make modifications to the location. It helps you signal the authorizing cookie for the non-SSL.
  2. SECURE_AUTH_KEY is used to signal the authorizing cookie for SSL admin and is used to make modifications to the web site.
  3. LOGGED_IN_KEY is used to create a cookie for a logged-in consumer. It can’t be used to make modifications to the location.
  4. NONCE_KEY is used to signal the nonce key. This key protects the nonces from being generated, thereby defending your web site from being attacked.

One can find these Authentication Keys and Salts within the wp-config.php file, positioned within the WordPress root folder.

WordPress salts are random strings of information that hash the safety keys and add an additional layer of safety to the location and your credentials.


As you’ll be able to see on this picture, every safety key has a corresponding salt, specifically AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT.

Why Use WordPress Safety Keys and Salts?

WordPress makes use of cookies to trace the id of the customers logged in to your web site. These cookies are saved in your web site’s dashboard account, that’s the client-side. For higher encryption, the authentication particulars (each the username and password) are hashed utilizing a set of random values specified within the WordPress safety keys.

So, a randomly-generated encrypted password like “65a3ds2873ba27us36sd89s0fc” is extraordinarily tough to crack as in comparison with a non-encrypted one. Therefore, web site homeowners ought to use WordPress safety keys to safe their web site’s cookies and cease malicious hackers from accessing the location.

The right way to Change WordPRess Keys and Salts Manually

You’ll be able to configure the key keys and salts both manually or through the use of a WordPress Safety Plugin. When you have a self-hosted WordPress web site, you’ll have to add the safety keys your self.

Please be aware: we solely advocate manually enhancing WordPress recordsdata if you’re a developer or are snug working with code at an intermediate or increased degree. If you happen to’re a newbie, please leap forward to the advisable plugins under.

First, use the random generator on WordPress to acquire a novel Secret Key.

Subsequent, log in to your management panel file supervisor or through FTP. From right here find the wp-config.php file to switch it.


Open the file and scroll all the way down to the  “Authentication Distinctive Keys and Salts” part. That is the place you’ll be able to add your secret keys that you simply generated earlier.


When you save the file, you can be required to log in once more.

Use a Plugin To Replace Keys & Salts

Like most issues in WordPress you do not need to do that manually. A number of WordPress plugins can be utilized to automate the method in your behalf. They’re a fast and simple technique to change your WordPress Keys & Salts. Listed below are two we’d advocate.

iThemes Safety


The current model of iThemes Safety (Free v4.6+ or iThemes Safety Professional v1.14+) comes with a time-saving safety function that simply updates WordPress safety keys and salts. It presents an replace reminder each month and averts the necessity to manually generate a brand new set of keys or edit your wp-config.php file.

To replace the keys and salts, go to the ‘WordPress Salts’ part within the ‘Superior Tab’, click on the checkbox towards ‘Change WordPress Salts’ and eventually click on the ‘Change WordPress Salts’ button.


The iThemes Safety Professional presents further options like two-factor authentication, scheduled malware scanning, and reCAPTCHA to detect malicious software program and add an additional layer of safety to your WordPress login pages.

Salt Shaker


Equally, Salt Shaker presents spectacular options and settings like handbook and quick WP safety keys and salts altering to enhance your WordPress safety.


Furthermore, after putting in the Salt Shaker plugin, you’ll be able to set the scheduled job for automated salt altering. All you have to do is test the field and select the day by day, weekly or month-to-month setting.

In each instances, the plugin is programmed to ship automated reminders for updating the WordPress keys. In consequence it additionally forces all logged-in customers to undergo the log in course of once more. All these options assist shield a web site from brute drive assaults and different hacking makes an attempt.

On the subject of securing your WordPress web site, prevention is the best way to go. The hard-hitting mixture of WordPress safety keys and salts makes it powerful for hackers to crack web site passwords. That is how WordPress presents improved safety for consumer classes and secures knowledge.

To sum up, right here are some things to remember when updating WordPress safety keys and salts.

gp-4601057 as-9455679

WP Saviour

I am a WordPress specialist. My mission is to help you create beautiful websites with ease!