At a high-level, WordPress salts are a way to keep your WordPress site secure by helping to securely store and authenticate the passwords of users at your site.
In this article, you will learn what WordPress salts are, where to find them, and how to change them.
What Are WordPress Salts? In More Detail
WordPress salts, along with their companion security keys, are a cryptographic tool that helps secure your WordPress site’s login.
Specifically, salts and security keys secure information in the cookies that WordPress uses to log you in.
See, once you log in to WordPress, you have the option to stay logged in so that you don’t need to enter your username and password every single time. To accomplish this, WordPress saves your login information in cookies, rather than using PHP sessions.
That’s super convenient for users, but it also opens the potential for a security issue if someone were able to hijack your browser’s cookies.
To avoid this, WordPress uses salts and security keys to secure your login information so that malicious subjects can’t do anything with it. Think of them kind of like “extra” passwords for your site that are almost impossible for a malicious actor to guess.
Because of their importance, you should never share your WordPress salts and security keys with anyone.
Where Are WordPress Salts Located?
WordPress comes with its own salts and security keys by default. They’re located in your site’s wp-config.php file. You should see eight keys total:
- The first four entries are your security keys.
- The last four entries are your WordPress salts.
How Do WordPress Salts Work?
Let’s say your password for your WordPress site is “mypassword” (this is a horrible password but it fits our purposes).
To log in, you enter your username and password. Then, WordPress stores that information in two browser cookies so that you stay logged in (this information is also stored in your site’s database).
However, if WordPress stores your password just like that — “mypassword” — then it’s right there in the open for a malicious actor to see. This is called storing the password in plaintext, and it’s a big no-no when it comes to security.
Security keys and salts avoid this issue by working together to cryptographically turn that plaintext password into a random jumble of characters that are impossible for someone to reverse engineer without access to your keys and salts.
So even though you entered “mypassword” to log in, WordPress will turn your password into something like “hsd78q34%7832$4jkhkjsfd78782^^429nsdf” for storage.
Unless a person has access to your salts and security keys, it would be impossible for them to translate that random jumble of characters into your actual password.
Do You Need to Change Your WordPress Salts and Security Keys?
By default, new WordPress installations come with their own set of keys and salts, so your WordPress site is already secure without requiring any action on your part.
However, there are some reasons to consider changing your salts and keys on a periodic basis.
The basic concept is that by periodically changing your keys and salts, you make it even harder for a malicious actor to get their hands on your salts.
Additionally, changing your salts will automatically log out all logged-in users at your site and force them to log in again, which is another potential benefit. For example, if you accidentally logged in on a public computer and forgot to log out, this would let you force log out that account to make sure no one can get access.
How to Change Your WordPress Salts (Two Methods)
If you want to change salts in WordPress, you have two main options:
Here’s how to use both approaches:
How to Change WordPress Salts Manually
To manually change your site’s salts, you’ll need to connect to your site’s server via FTP and edit your wp-config.php file. If you’re not sure how to do that, check out this article on how to use SFTP at Kinsta.
Once you’re connected, head to the official WordPress.org salt generator. This page will randomly generate salts and security keys for you, just like you saw above. It should generate the four security keys plus four salts (eight total):
Then, delete the existing keys in your wp-config.php file and replace them by pasting in the keys from the WordPress.org salt generator:
Once you’re finished, it should look exactly the same as before — it’s just that the random character strings will be different.
Make sure to save your changes and re-upload your wp-config.php file if needed.
How to Change WordPress Salts with a Plugin
As an alternative to the manual method above, you can also use a plugin to change your site’s salts.
The Salt Shaker plugin is a popular free option with one advantage over the manual method:
You can set it up to automatically change your salts on a schedule that you define. Or, you can also just use it to manually change salts.
Once you install and activate the plugin, go to Tools → Salt Shaker.
If you want to manually change your salts right away, just click the Change Now button.
Or, you can also use the Scheduled Change feature to automatically change your salts on one of the following schedules:
- Daily
- Weekly
- Monthly
- Quarterly (every three months)
- Biannually (every six months)
Some WordPress security plugins, notably iThemes Security, also include features that make it easy to change your WordPress salts.
Summary
WordPress salts and security keys help secure your site’s login process and the cookies that WordPress uses to authenticate users.
Your site comes with its own set of salts and keys by default, so you don’t need to set anything up to benefit from salts.
However, there are security benefits to periodically changing your salts to make it even harder for malicious actors to access them.
To change your salts, you can use the WordPress.org salt generator and manually edit your wp-config.php file or you can use a free plugin like Salt Shaker.
