What are WordPress salts? Here’s the short answer: they can help protect your WordPress website by storing user passwords and authenticating them safely. But what about the long answer?
In this guide to WordPress Salts, you will find:
- A detailed look at WordPress salts
- Where WordPress salts can be found
- Information on how often you need to update WordPress salts and security keys
- Two techniques for changing WordPress salts
By the time you reach the end of this guide, you will have the details you need to start using WordPress salts and get the most out of them.
A Closer Look at WordPress Salts
WordPress salts, and their associated security keys, are a cryptographic tool designed to keep your WordPress website’s login safe and secure. More explicitly, they store information in the cookies used by WordPress to log you into your account.
When you log in to WordPress, you can choose to stay logged in if you would prefer not to put in your username and password each time. WordPress stores your login details in its cookies instead of utilizing PHP sessions. This method is incredibly convenient for the user, but it creates an opportunity for security problems — a hacker could use their skills to take control of the cookies in your browser.
So, to help safeguard your login information from unauthorized users, WordPress secures it with salts and security keys. In essence, WordPress salts function like additional passwords to your website that any potential hackers would find virtually unguessable.
As WordPress salts and security keys are so crucial, never, ever share them with anyone.
Where Can WordPress Salts Be Found?
By default, WordPress is equipped with its own salts and security keys stored within your website’s wp-config.php file. There are eight keys: the top four are your security keys, and the lower four are your WordPress salts. Each entry ends with ‘KEY’ or ‘SALT’, which makes them easy to identify.
How WordPress Salts Function
In this section, we’ll use a basic example password — PasswordX — to walk you through how WordPress salts work.
To get started, log in with your unique username and password (make sure yours is more secure than PasswordX). WordPress stores this data in two separate browser cookies to keep you logged in. Your website’s database stores this information too.
If your password is stored by WordPress as just “PasswordX”, in the open, an unauthorized user could spot it easily. This method is known as storing in plaintext — a major security faux pas.
How do salts and security keys avoid this issue? They collaborate to cryptographically transform plaintext passwords into random combinations of characters. It is impossible for a malicious actor to reverse engineer your password without having access to your salts or security keys.
For example, even if you chose PasswordX for your password, WordPress would still make it into something much more complex for safe storage. Without having access to your security keys and salts, an unauthorized user would have no way to turn a random string of characters back into your real password.
Is It Necessary to Update Your WordPress Salts and Security Keys?
Salts and security keys are included with all new WordPress installations by default. That means you don’t need to do anything to secure your WordPress website from the start. But it is worth updating your WordPress salts and security keys regularly.
Why? Because using new salts and keys makes it more difficult for any hackers to access them. Also, when you change your salts, any users logged into your site are automatically logged out. That’s ideal if you log in on a public computer but forget to log out accidentally — that account would be logged out and nobody else could get into it again.
Two Ways to Update Your WordPress Salts
You have two options to change your WordPress salts:
- Editing your wp-config.php file to change the salts manually
- Using a free plugin to do it for you
Let’s explore both options in detail.
Manually Changing Your WordPress Salts
With this method, you will be updating your wp-config.php file yourself. Start by connecting to your website’s server through FTP, then go to WordPress’s official salt generator. Random salts and security keys are generated for you on this page, with four of each.
The next step is to delete the keys currently in your wp-config.php file then replace them with the keys found in the salt generator. Just copy and paste them in.
By the time you have finished this process, the file will look like it did before only with different random strings of characters — giving you the robust security you need to stay safe online. Just save the changes and, if necessary, re-upload your wp-config.php file.
Using a Plugin to Change WordPress Salts
You can change your website’s salts with a plugin instead of doing it manually. One of the most popular free options is the Salt Shaker plugin, and it has one key advantage over the manual alternative: you can configure the plugin to change your salts automatically based on your own scheduling, and you can manually change salts with it too.
Install the plugin, activate it, then go to Tools and click on Salt Shaker. Click on Change Now if you want to manually change your salts immediately. But if you want to, you can take advantage of the convenient Scheduled Change feature instead.
When using WordPress, salts and security keys keep your login process secure and protects those cookies used by WordPress to verify users. Your WordPress website is equipped with unique salts and security keys by default, so you don’t have to set anything up to put them in place.
Still, it is beneficial to your site’s security to regularly update your salts to prevent unauthorized users from getting access to them. You can either use the WordPress.org salt generator to edit your wp-config.php file manually or use one of the free plugins instead.