WordPress Salts and Keys: Everything You Need to Know

WordPress Salts and Keys: Everything You Need to Know

More than 30% of all the websites in the world are powered by WordPress, making it the most popular CMS by far. Even so, people still rightly wonder about how secure WordPress is. Protecting a website is a top priority in today’s world because hackers know how to find their way around the most complex security measures. Luckily, hackers don’t set clear targets, unless they really have a reason to. In most situations, they look for the weakest link and take over websites or software products which are vulnerable.

First and foremost, WordPress websites should be protected with strong credentials, but there are other factors that matter just as much as a secure password. To make sure that attackers are very unlikely to break into your website, you should learn about and apply these extra measures.

This article created by our team at wpDataTables will present the facts about WordPress salt keys. ‘Salt’ keys are meant to keep your website’s passwords protected at all times. With strong salt keys, attackers won’t be able to see or use your credentials, even though they might get a hold of your website database. Here you will find details about what WordPress salts are and how you can change yours using the Salt Shaker plugin or manually, so keep reading.

Understanding WordPress Salt Keys

WordPress salts are cryptographic elements that are meant to secure data by a process called hashing. Most platforms that rely on credentials alone for the security of their users and the content they host through the platform use salt keys to protect sensitive data from hackers. The hashing process encrypts the passwords whenever they are typed into the login form and saved to the database. In addition, your browser cookies are also hashed with salt keys to prevent attackers from impersonating you after stealing your cookies.

When using WordPress salt keys, you can rest assured that your login area is much more difficult to break into. The same goes for the information stored in the cookies of a browser, which can be rather dangerous if you don’t provide salts to hash them with. Fortunately,WordPress comes with built-in support for adding your own salts. These can be found in the wp-config.php file, located in the public_html folder. They normally look something like this:

Types of WordPress Salts

If you have the current version of WordPress, security keys come in four types and they are used each time you log in to your site. For each security key, you need to have a corresponding WordPress salt key. By default, they are generated by WordPress automatically, so you don’t need to add them by hand. The types of WordPress salts are:

LOGGED_IN_KEY – This is used to generate cookies for a user that logs in. These cookies cannot be used to make changes on the site.

SECURE_AUTH_KEY – This is used for the SSL admin to generate an authorizing cookie. These cookies can be used to make changes to the site.

AUTH_KEY – This is used for the non-SSL admin to generate an authorizing cookie. These cookies can be used to make changes on the site.

NONCE_KEY – This is used to sign the nonce key which protects the nonces being generated. This is the type of WordPress salt that keeps your website secure from multiple forms of cyber attacks.

How do WordPress Salts work?

There are website platforms that rely on PHP sessions in order to track the users and their login sessions. Not WordPress. On WordPress, the verification of all users, varying from admins to commenters, is done by analyzing cookies or the information that gets stored in a browser’s history. Whenever a person logs into the WordPress Dashboard, some cookies are created instantly and then saved, with the acceptance of the user. The cookies that are created look like this:

wordpress_[hash]

wordpress_logged_in_[hash]

The function of WordPress salts is very easy to understand. Let’s say that your password is “demo-password”. This is a very simple password that can be guessed or hacked rather rapidly. Keys represent randomized variables that are added to your existing password to make it encrypted. Each time you log in, the password is stored in your browser’s cookie files so that you don’t need to type in your credentials every time you visit the website. This is where salt keys step in. The stored password becomes very difficult to crack once you get it encrypted, and that can only happen with the help of WordPress salts.

How Can You Change WordPress Salts?

In some cases, you might be required to generate WordPress salts yourself. In other cases, the security keys are pre-defined. See what your case is, and – if the salt keys are missing – follow these very simple steps to configure them:

Manually

To do it manually, you will need to generate a secret key. You can do that right within WordPress, using the random key generator that the platform offers. Instead of creating a secret key yourself, use this method, as the characters are more difficult to crack. It will only take you a couple of seconds to do it, so it’s definitely not a waste of time.

Then, access https://api.wordpress.org/secret-key/1.1/salt/ and check out the list that pops up. It is a list of replacement keys and salt keys. It should look like this:

The next step is copying these WordPress salts and opening your FTP client. Navigate to the root folder of your site and right-click the wp-config.php file to edit it. Search for the “Authentication Unique Keys and Salts” line and replace everything that you find under this section with the WordPress salts you’ve just copied. Don’t forget to save the changes and upload the file back to the server. Doing this every three to six months is the best way to keep your site secured. Always use the WordPress.org secret-key service to have your keys generated.

Using a plugin

If you find the steps above too complicated, you can resort to the easier method which is using a plugin. Salt Shaker is a free plugin that automates all the steps that you read about above. You just have to download and activate it. Using a plugin gives you an extra feature that you can’t set when you are making the changes manually. With Salt Shaker, you can schedule when you want your WordPress salts to be changed, thus getting rid of some responsibilities. Keep in mind that you and any other person who uses your website will have to log in again using the WordPress login page after each change of the WordPress salts.

The Benefits of WordPress Security Keys

When a site is hacked, most of the data on it – if not all – will be compromised. Instead of panicking, you need to figure out what step you should follow next. Changing the WordPress salts and the unique keys you’ve been using will invalidate all logged in users, including hackers. This should buy you some time to save your website from complete corruption. Besides using WordPress salt keys, don’t forget to get an SSL certificate, to enforce the use of secure FTP clients, hide any files that are vital and reduce access to them, and so on. WordPress security keys are just one layer of protection. Don’t forget that you need to cover them all.

Wrap-up

Ensuring the security of your WordPress site is not an easy process, but it is worth all the effort. Using WordPress salts to keep the authentication process secure and save your data in the eventuality of a cyber attack is one of the actions you can’t skip. Make sure to apply everything you’ve learned in this article for extra protection.

If you enjoyed reading this article about WordPress Salts and Keys, you should read these as well:

Up Next:

Looking For a WordPress Theme Detector? We've Got Your Back

Looking For a WordPress Theme Detector? We've Got Your Back