WordPress Security

WordPress Security Keys and Salts – All You Need To Know [2021]

Updated on: August 9, 2021

WordPress Security Keys and Salts – All You Need To Know [2021]

One of the easiest things you can do, yet something that will go a long way in securing your website is to change your WordPress Security Keys and Salts. In this article, we focus on what they are and how they ensure that your website remains safe from hackers.

What WordPress Security Keys and Salts Are

WordPress security keys and salts are cryptographic tools that help secure your WordPress site’s login. Essentially, a salt is random data – usually extra characters – added to a password. WordPress uses salts to help protect passwords when they’re being stored in the backend. A security key is a password containing a random, long, and complicated set of variables that improve encryption, making it almost impossible to crack your password. Currently, WordPress uses four security keys, each with salt, to boost your website’s security. 

You will find the WordPress security keys and salts in the wp-config.php file, located in the root folder. Here are those four WordPress Security Keys and salts:

  1. AUTH_KEY: used to make changes to the site, help you sign the authorizing cookie for the non-SSL. The corresponding salt is AUTH_SALT
  2. SECURE_AUTH_KEY: used to sign the authorizing cookie for SSL admin and is used to make changes to the website. The corresponding salt is SECURE_AUTH_SALT
  3. LOGGED_IN_KEY: used to create a cookie for a logged-in user but can’t be used to make changes to the website. The corresponding salt is LOGGED_IN_SALT
  4. NONCE_KEY: used to sign the nonce key. This key protects the nonces from being generated, therefore protecting you from being hacked. The corresponding salt is NONCE_SALT

How to Change WordPress Security Keys and Salts

There are a few ways one can change their site’s security keys and salts based on their experience and comfort level in web development. 

1. Using a plugin

If you are a WordPress beginner, you might want to use a plugin to change your WordPress security keys and salts easily and without hassle. The most popular free plugin you can use is Salt Shaker. It is extremely user-friendly. You can set up the plugin to automatically change your salts on a schedule that you can pick. Here are the steps:

WordPress salts
The Salt Shaker plugin facilitates a hassle-free WordPress salts & keys changing
  • Install and activate the Salt Shaker plugin, then go to Tools → Salt Shaker.
  • If you want to manually change your salts, click Change Now.
  • You can also use the Scheduled Change feature to automatically change your salts on a daily, weekly, monthly, quarterly, or biannual basis. 

2. Manually

To manually change your WordPress Security Keys and Salts without having to install any plugins or software, you would need to edit your site’s wp-config.php file. Make sure to be extremely careful and take a backup beforehand, as things can go wrong pretty quickly if you don’t know what you are doing.

Once you open your wp-config.php file, scroll down to the  “Authentication Unique Keys and Salts” section where you’ll find your WordPress security keys and salts. You can then use the official WordPress secret key generator to generate your salts and keys and replace the old keys and salts in your website. Save the file after you’re done with that. Make sure to keep doing this regularly, as that will ensure that your site stays secure. 

How WordPress Security Keys and Salts Work

WordPress uses cookies to track the identity of the users logged in to your website. These cookies are stored on your site’s dashboard account, that is, on the client-side. For better encryption, the authentication details are hashed using a set of random values specified in the WordPress security keys – as an encrypted password is more difficult to hack than one that’s not.

By regularly changing your WordPress security keys and salts, you make it harder for a hacker to get unauthenticated access to your site. Changing your salts will also automatically log out all logged-in users and force them to log in again. For example, if someone logged in to your site on a public computer and forgot to log out, they’ll automatically be logged out when you change your salts. (This prevents unauthorized users from gaining access to your site.)

Conclusion: WordPress Security Keys and Salts

Cyber attacks are horrible, and so are their after-effects on your traffic, revenue, and even your reputation. So, to prevent getting attacked, it is advisable to invest in security and follow good security practices like frequently and regularly changing your WordPress Security Keys and Salts – a little bit on your part can go a long way!

Related article – Astra’s Comprehensive Step-by-Step WordPress Security Guide

About Astra

At Astra, we have a team of security experts who on a daily basis help website owners and developers to secure their website from attackers. Our intelligent firewall provides real-time 24×7 security against bad bots, hackers, malware, XSS, SQLi, and 80+ attacks. Astra Firewall is highly customized for Prestashop, OpenCart & Magento to give all-around security to your E-commerce store.

Tags: , ,


Sreenidhi is a tech enthusiast who enjoys writing about cybersecurity and data science. Her areas of interest include WordPress security, new malware, and recent cybersecurity news.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany