WordPress uses salts and security keys to protect your website against hacking attempts. These salts or security keys are strings of random characters, used by WordPress to encrypt your login credentials to make it harder for hackers to generate enough options to break through your site’s security barriers. In this way security keys and salts add an additional layer of authentication and improves the security of your website.
There’s more to it. What actually are WordPress Salts, where are they located, how WordPress works with these security keys, why and how to update WordPress Salts and Security keys…?
In this article, we will discuss everything about WordPress Salts & Security keys. Let’s get started!
What are WordPress Security Keys and SALTs?
WordPress salts along with their companion security keys are cryptographic essentials that help secure your WordPress site’s login.
Essentially, a salt is random data – usually extra characters – added to plain text password. WordPress uses salts and security keys together referred to as secret keys to encrypt username and password when they are stored in the database.
The security keys and salts cryptographically convert the plaintext password into a random jumble of characters which would be impossible for a person to reverse engineer without access to your keys and salts.
These keys are located in your site’s
wp-config.php file. Currently, WordPress uses the following four security keys, each with salt:
- AUTH_KEY: used to sign the authorizing cookie for the non-SSL and is used to make changes to the website. The corresponding salt is AUTH_SALT.
- SECURE_AUTH_KEY: used to sign the authorizing cookie for SSL admin and is used to make changes to the website. The corresponding salt is SECURE_AUTH_SALT.
- LOGGED_IN_KEY: used to create a cookie for a logged-in user but can’t be used to make changes to the website. The corresponding salt is LOGGED_IN_SALT.
- NONCE_KEY: used to sign the nonce key. This key protects the nonces from being generated, therefore protecting you from being hacked. The corresponding salt is NONCE_SALT.
Let’s dig deeper to see what happens behind the scenes…
How WordPress Security Keys and Salts Work
When a new WordPress user logs in (this applies to backend users as well as commenters), the information about their session is stored in a cookie so that they don’t need to enter the username and password every single time a page is loaded. Most applications use PHP sessions to store and track user session information.
Cookie: A cookie is a small file that gets stored on your computer (or any other device) when you go to a website. It contains bits of information like whether you have logged in to the site and at time even your password.
WordPress uses these cookies to track the identity of the logged in users when they revisit the website later. These cookies are stored in database as well as on client’s browser. While this adds to user’s convenience, it also opens the potential for a security issue if someone were able to hijack your browser’s cookies.
To avoid this, users’ information is encrypted by using salts and security keys (secret keys) while also being stored for future use to streamline the login process.
As per WordPress Codex,
A secret key makes your site harder to successfully attack by adding random elements to the password.
In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, long password which uses no dictionary words, such as “88a7da62429ba6ad3cb3c76a09641fc” would take a brute force attacker millions of hours to crack. A salt is used to further enhance the security of the generated result.
This is WordPress’s way of providing enhanced security for user sessions and data.
Why Do We Need To Update WordPress Salts & Security Keys?
Back in December of 2017, Wordfence reported that 1.4 billion sets of login credentials were stolen, and an aggressive WordPress brute force attack campaign occurred shortly after that incident. With usernames and matching passwords readily available to the hackers, they launched attack after attack with 14.1 million attacks an hour at its peak.
The only rescue in this scenario for WordPress admins was to require all users to reset and change their passwords. But was that enough? This is the exact scenario where you should immediately turn your attention to WordPress security keys — up the game by updating the salts & security keys. As soon as you update these secret keys, the existing cookies are invalidated and all the logged-in users are logged out of the site.
Updating WordPress Salts & Security Keys effectively helps in hardening the WordPress login to fend off brute force attacks. The security keys introduce an additional layer of authentication and enhances security of your website.
Here are some of the use cases for effectively using WordPress security keys and salts for hardening the security:
- Change the WordPress security keys and salts immediately after launching a new WordPress site.
- If you notice any malicious activity or unauthenticated users on your site, update your security keys in addition to deleting suspicious user accounts and forcing all users to change their passwords. Here are some indicating signs that your site has been hacked or compromised.
- If your WordPress site was hacked then after restoring the hacked site it is important to change the salt keys, along with other post-hack recommendations. Here’s a step by step guide to clean malware from your WordPress website.
How To Change Your WordPress Salt Keys (3 Methods)
Change Your Salt Keys Manually
Salts are created using secret keys and secret keys are located in the
wp-config.php file. Here are the two simple steps to manually change the WordPress security keys by editing
WordPress provides an online Salt keys generator which randomly generates new security keys for your website. All the required keys are automatically generated. Click on the link above and copy the entire generated code.
Step Two: Edit your
Connect to your site via FTP using Filezilla or a code editor of your choice. Navigate to the root directory of your site and locate
wp-config.php. Take a quick backup of this file. Now open
wp-config.php (select View / Edit option in Filezilla) and look for “Authentication Unique Keys and Salts” section. Replace the existing security and SALT keys with newly generated keys.
Once you change the salt keys it invalidate all existing cookies. This means all the logged in users will be logged out of the website, and will have to log back in again.
Regenerate WordPress Security Keys via Plugin(s)
If you are not comfortable editing remote server files, you can use a dedicated plugin for shuffling the salt keys — Salt Shaker. It enables you to update your security keys/salts at the click of a button.
- Install and activate the Salt Shaker plugin.
- Go to Tools → Salt Shaker to configure the settings.
- Click on “Change Now” button to immediately change the WordPress keys and salts.
This plugin also allows you to automatically change your Salt keys on a periodic basis: Daily, Weekly, Monthly, Quarterly and Biannually. You can choose a frequency that works best for your site, however in most of the cases quarterly or biannually should suffice.
Other Security Plugins: Some security plugins like iThemes Security, Sucuri and MI Security Suite also include features which make it easy for you to change WordPress salts via WordPress backend itself.
- iThemes Security: Go to Security → Settings, click on Tools menu from the left pane on settings page and open Change WordPress Salts and click Run.
- Sucuri Security: Go to Sucuri Security → Settings, Post-Hack tab and click on Generate New Security Keys. Sucuri also provides the feature of setting automatic updater for security keys.
- MI Security Suite: Go to MI Security Suite, open Salt Shuffler meta box and click on Shuffle Salts.
Using WP CLI Command
If you are an advanced user, you can simply shuffle the salts by using the following WP-CLI command:
wp config shuffle-salts
This command will generate new salts for your
wp-config.php file. Here is a quick reference guide: wp config shuffle-salts.
WordPress security keys and salts don’t do anything to your users login information except that these keys are used for encrypting the credentials. So, when you change your site’s security keys your users are not affected at all. The only thing that changes for them is that they are logged out and are forced to re-enter their login credentials to login to the site.
How Often Do We Need To Change WordPress SALT keys?
Updating your WordPress security keys on a regular basis is a great way for hardening your WordPress site. While the keys are extremely difficult to break, changing them every so often adds another layer of complexity. It also helps in halting any progress made by the hackers.
You can consider changing the salts and security keys at the time when you are initially setting up your site and thereafter every six months (biannually) or so is good enough. However, it becomes critical to change WordPress salts right after your site is hacked. If your site had malware, it is very likely that the keys were compromised. After restoration it is of utmost importance to shuffle the salts keys.
If you want to dig deeper into the technicalities of WordPress Salts, Security Keys and Cryptography techniques, here are a few helpful resources: