WordPress Salts and Keys: Everything You Need to Know

More than 30% of all the websites in the world are powered by WordPress, making it the most popular CMS by far. Even so, people still rightly wonder about how secure WordPress is. Protecting a website is a top priority in today’s world because hackers know how to find their way around the most complex security measures. Luckily, hackers don’t set clear targets, unless they really have a reason to. In most situations, they look for the weakest link and take over websites or software products which are vulnerable.

First and foremost, WordPress websites should be protected with strong credentials, but there are other factors that matter just as much as a secure password. To make sure that attackers are very unlikely to break into your website, you should learn about and apply these extra measures.

This article created by our team at wpDataTables will present the facts about WordPress salt keys. ‘Salt’ keys are meant to keep your website’s passwords protected at all times. With strong salt keys, attackers won’t be able to see or use your credentials, even though they might get a hold of your website database. Here you will find details about what WordPress salts are and how you can change yours using the Salt Shaker plugin or manually, so keep reading.

Understanding WordPress Salt Keys

WordPress salts are cryptographic elements that are meant to secure data by a process called hashing. Most platforms that rely on credentials alone for the security of their users and the content they host through the platform use salt keys to protect sensitive data from hackers. The hashing process encrypts the passwords whenever they are typed into the login form and saved to the database. In addition, your browser third party cookies are also hashed with salt keys to prevent attackers from impersonating you after stealing your cookies.

When using WordPress salt keys, you can rest assured that your login area is much more difficult to break into. The same goes for the information stored in the cookies of a browser, which can be rather dangerous if you don’t provide salts to hash them with. Fortunately, WordPress comes with built-in support for adding your own salts. These can be found in the wp-config.php file, located in the public_html folder. They normally look something like this:

Types of WordPress Salts

If you have the current version of WordPress, security keys come in four types and they are used each time you log in to your site. For each security key, you need to have a corresponding WordPress salt key. By default, they are generated by WordPress automatically, so you don’t need to add them by hand. The types of WordPress salts are:

LOGGED_IN_KEY – This is used to generate cookies for a user that logs in. These cookies cannot be used to make changes on the site.

SECURE_AUTH_KEY – This is used for the SSL admin to generate an authorizing cookie. These cookies can be used to make changes to the site.

AUTH_KEY – This is used for the non-SSL admin to generate an authorizing cookie. These cookies can be used to make changes on the site.

NONCE_KEY – This is used to sign the nonce key which protects the nonces being generated. This is the type of WordPress salt that keeps your website secure from multiple forms of cyber attacks.

How do WordPress Salts work?

There are website platforms that rely on PHP sessions in order to track the users and their login sessions. Not WordPress. On WordPress, the verification of all users, varying from admins to commenters, is done by analyzing cookies or the information that gets stored in a browser’s history. Whenever a person logs into the WordPress Dashboard, some cookies are created instantly and then saved, with the acceptance of the user. The cookies that are created look like this:



The function of WordPress salts is very easy to understand. Let’s say that your password is “demo-password”. This is a very simple password that can be guessed or hacked rather rapidly. Keys represent randomized variables that are added to your existing password to make it encrypted. Each time you log in, the password is stored in your browser’s cookie files so that you don’t need to type in your credentials every time you visit the website. This is where salt keys step in. The stored password becomes very difficult to crack once you get it encrypted, and that can only happen with the help of WordPress salts.

How Can You Change WordPress Salts?

In some cases, you might be required to generate WordPress salts yourself. In other cases, the security keys are pre-defined. See what your case is, and – if the salt keys are missing – follow these very simple steps to configure them:


To do it manually, you will need to generate a secret key. You can do that right within WordPress, using the random key generator that the platform offers. Instead of creating a secret key yourself, use this method, as the characters are more difficult to crack. It will only take you a couple of seconds to do it, so it’s definitely not a waste of time.

Then, access https://api.wordpress.org/secret-key/1.1/salt/ and check out the list that pops up. It is a list of replacement keys and salt keys. It should look like this:

The next step is copying these WordPress salts and opening your FTP client. Navigate to the root folder of your site and right-click the wp-config.php file to edit it. Search for the “Authentication Unique Keys and Salts” line and replace everything that you find under this section with the WordPress salts you’ve just copied. Don’t forget to save the changes and upload the file back to the server. Doing this every three to six months is the best way to keep your site secured. Always use the WordPress.org secret-key service to have your keys generated.

Using a plugin

If you find the steps above too complicated, you can resort to the easier method which is using a plugin. Salt Shaker is a free plugin that automates all the steps that you read about above. You just have to download and activate it. Using a plugin gives you an extra feature that you can’t set when you are making the changes manually. With Salt Shaker, you can schedule when you want your WordPress salts to be changed, thus getting rid of some responsibilities. Keep in mind that you and any other person who uses your website will have to log in again using the WordPress login page after each change of the WordPress salts.

The Benefits of WordPress Security Keys

When a site is hacked, most of the data on it – if not all – will be compromised. Instead of panicking, you need to figure out what step you should follow next. Changing the WordPress salts and the unique keys you’ve been using will invalidate all logged in users, including hackers. This should buy you some time to save your website from complete corruption. Besides using WordPress salt keys, don’t forget to get an SSL certificate, to enforce the use of secure FTP clients, hide any files that are vital and reduce access to them, and so on. WordPress security keys are just one layer of protection. Don’t forget that you need to cover them all.

FAQs about WordPress salts and keys

1. What are WordPress salts and keys, and what is their purpose?

WordPress salts and keys are distinctive, arbitrary strings of characters that are applied to WordPress websites to increase security.

The keys are used to encrypt and decrypt sensitive data, including user cookies and authentication tokens, while the salts are used to create safe, encrypted versions of user passwords.

WordPress websites can more effectively withstand brute-force attacks and other malicious attempts by employing special salts and keys.

2. How can I generate new WordPress salts and keys?

Use the WordPress Salts Generator or a tool of a similar nature to create fresh WordPress salts and keys. The produced code should be copied and pasted into the wp-config.php file in the root directory of your WordPress installation.

3. Where are WordPress salts and keys stored?

The wp-config.php file, which is a configuration file for your WordPress installation, is where WordPress salts and keys are kept. WordPress uses a number of settings from this file to connect to your database and other components of your website.

4. How often should I change my WordPress salts and keys?

Change your WordPress salts and keys at least once every six months, or anytime there is a significant shift in the security or user base of your website. Regularly changing the salts and keys can help to stop attacks that depend on utilizing known, out-of-date salts and keys.

5. Can I use the same WordPress salts and keys across multiple websites?

Using the same WordPress keys and salts across many websites is not advised since it could make it simpler for attackers to compromise multiple sites if one key or salt is compromised. There should be a separate set of salts and keys for each website.

6. Are WordPress salts and keys necessary for website security?

Indeed, WordPress salts and keys are crucial to the safety of websites. They aid in stopping attacks that depend on guessing or cracking passwords as well as assaults that depend on taking advantage of widely-known, out-of-date keys and salts.

7. What happens if I lose my WordPress salts and keys?

You must produce new salts and keys for WordPress and replace the outdated ones in your wp-config.php file if you misplace them. Keep your salts and keys secure and backed up because misplacing them could jeopardize the security of your website.

8. How do WordPress salts and keys differ from passwords?

In contrast to passwords, which are used to authenticate users, WordPress salts and keys are used to encrypt and decrypt sensitive data. Yet when making safe, encrypted copies of user passwords, salts and keys are employed.

9. Can WordPress salts and keys prevent brute-force attacks?

WordPress salts and keys make it far more difficult for attackers to crack or guess user passwords, hence assisting in the prevention of brute-force attacks. WordPress can create safe, encrypted versions of user passwords that are significantly more difficult to crack than passwords hashed using basic algorithms by employing one-of-a-kind salts and keys.

10. How do WordPress salts and keys relate to cookies and sessions in WordPress?

WordPress uses cookies and sessions along with salts and keys to authenticate users and encrypt private information. While salts and keys are used to encrypt and decrypt this information to secure it from hackers, cookies and sessions are used to store user information and keep users logged in between page loads.


Ensuring the security of your WordPress site is not an easy process, but it is worth all the effort. Using WordPress salts to keep the authentication process secure and save your data in the eventuality of a cyber attack is one of the actions you can’t skip. Make sure to apply everything you’ve learned in this article for extra protection.

If you enjoyed reading this article on WordPress salts and keys, you should check out this one about WordPress SSL plugin.

We also wrote about a few related subjects like malware scanner plugins and WordPress security.

Bogdan Radusinovic
Bogdan Radusinovic

Senior SEO and Marketing Specialist

Articles: 137