One of the easiest things you can do, yet something that will go a long way in securing your website is to change your WordPress Security Keys and Salts. In this article, we focus on what they are and how they ensure that your website remains safe from hackers.
What WordPress Security Keys and Salts Are
WordPress security keys and salts are cryptographic tools that help secure your WordPress site’s login. Essentially, a salt is random data – usually extra characters – added to a password. WordPress uses salts to help protect passwords when they’re being stored in the backend. A security key is a password containing a random, long, and complicated set of variables that improve encryption, making it almost impossible to crack your password. Currently, WordPress uses four security keys, each with salt, to boost your website’s security.
You will find the WordPress security keys and salts in the
wp-config.php file, located in the root folder. Here are those four WordPress Security Keys and salts:
- AUTH_KEY: used to make changes to the site, help you sign the authorizing cookie for the non-SSL. The corresponding salt is AUTH_SALT.
- SECURE_AUTH_KEY: used to sign the authorizing cookie for SSL admin and is used to make changes to the website. The corresponding salt is SECURE_AUTH_SALT.
- LOGGED_IN_KEY: used to create a cookie for a logged-in user but can’t be used to make changes to the website. The corresponding salt is LOGGED_IN_SALT.
- NONCE_KEY: used to sign the nonce key. This key protects the nonces from being generated, therefore protecting you from being hacked. The corresponding salt is NONCE_SALT.
How to Change WordPress Security Keys and Salts
There are a few ways one can change their site’s security keys and salts based on their experience and comfort level in web development.
1. Using a plugin
If you are a WordPress beginner, you might want to use a plugin to change your WordPress security keys and salts easily and without hassle. The most popular free plugin you can use is Salt Shaker. It is extremely user-friendly. You can set up the plugin to automatically change your salts on a schedule that you can pick. Here are the steps:
- Install and activate the Salt Shaker plugin, then go to Tools → Salt Shaker.
- If you want to manually change your salts, click Change Now.
- You can also use the Scheduled Change feature to automatically change your salts on a daily, weekly, monthly, quarterly, or biannual basis.
To manually change your WordPress Security Keys and Salts without having to install any plugins or software, you would need to edit your site’s
wp-config.php file. Make sure to be extremely careful and take a backup beforehand, as things can go wrong pretty quickly if you don’t know what you are doing.
Once you open your
wp-config.php file, scroll down to the “Authentication Unique Keys and Salts” section where you’ll find your WordPress security keys and salts. You can then use the official WordPress secret key generator to generate your salts and keys and replace the old keys and salts in your website. Save the file after you’re done with that. Make sure to keep doing this regularly, as that will ensure that your site stays secure.
How WordPress Security Keys and Salts Work
By regularly changing your WordPress security keys and salts, you make it harder for a hacker to get unauthenticated access to your site. Changing your salts will also automatically log out all logged-in users and force them to log in again. For example, if someone logged in to your site on a public computer and forgot to log out, they’ll automatically be logged out when you change your salts. (This prevents unauthorized users from gaining access to your site.)
Conclusion: WordPress Security Keys and Salts
Cyber attacks are horrible, and so are their after-effects on your traffic, revenue, and even your reputation. So, to prevent getting attacked, it is advisable to invest in security and follow good security practices like frequently and regularly changing your WordPress Security Keys and Salts – a little bit on your part can go a long way!
Related article – Astra’s Comprehensive Step-by-Step WordPress Security Guide
At Astra, we have a team of security experts who on a daily basis help website owners and developers to secure their website from attackers. Our intelligent firewall provides real-time 24×7 security against bad bots, hackers, malware, XSS, SQLi, and 80+ attacks. Astra Firewall is highly customized for Prestashop, OpenCart & Magento to give all-around security to your E-commerce store.