WordPress Salts - What They Are and How to Use Them

WordPress Salts – What They Are and How to Use Them

WordPress Salts - What They Are and How to Use Them

WordPress currently powers more than 34% of all websites on the internet. This makes it a major target for malicious hackers. Every year, hundreds of thousands of login credentials are stolen by brute force attackers. The vulnerability of a WordPress blog or website is dependent on a number of factors. A few of them include: having outdated versions of WordPress, not changing your passwords regularly, installing themes and plugins from questionable sources, and not changing your WordPress salts and keys.

There are several other factors to consider but let’s focus on WordPress salt keys. We will consider their benefits and how they can be utilized for your website’s security.

Everything you need to know about WordPress salts will be discussed under the following headings

What are WordPress Salt Keys?

WordPress Salt keys are a random string of data that ‘hides’ the login credentials stored in your browser’s cookie. They are cryptographic elements used to encrypt your data for security reasons.

Each time a user logs in to a website, the login details are stored in a small file called a ‘cookie’. And as long as the cookie is valid, login details will not be required from the user when they access the site. However, this vital information (stored in the cookie) can be stolen effortlessly.

This is the reason why Security keys and Salts are used to encrypt those details.

WordPress salts and security keys

The inclusion of WordPress security keys and salt keys prevent your password from appearing as a comprehensive text. Instead of a simple password like ‘wordpass’, an attacker may see a long string of text like ‘198hdms4v5g9e0j2qlu3j6kf6f94j9n4w90ks’. It would be almost impossible for him to crack the code.

However, you should change your WordPress security keys regularly and never share them with a third party.

Why you should change them regularly

Already, we know that WordPress security keys and salts are measures against brute force attacks. Thus, changing them on a regular basis helps beef up security even more. The process of changing these keys automatically removes all logged in users of your website. They will have to log in again. It’s like a site wide reset.

This measure is particularly beneficial in a situation where you already have a logged-on hacker. When the keys are changed, he would no longer have access to your site. You can wear out any potential attacker with this technique.

There are two ways of changing WordPress security keys and salts: Manually and Automatically.

How to generate and change WordPress salts manually?

Generating WordPress salts using the manual method is as easy as one-two-three. It involves three major steps. The first step is to generate WordPress salts. The next is to locate wp-config.php file (this config file contains your website’s configuration details).

Finally, paste the generated keys in the wp-config.php file. The three steps are described below in greater detail.

Step 1: Generate the keys by visiting this web link. A set of randomized variables will appear on your screen.

Generate WordPress salts

You don’t need to understand what you see, just copy the values on your screen. They are meant to be pasted in your wp-config.php file.

Step 2: This step will teach you how to access the wp-config.php file. You can find it in the root of your WordPress directory. Information found in the wp-config.php file includes database names, database host, usernames and passwords.

To locate this file, login to your cPanel (contact your webhost for access details). When in, click File Manager.


There is a folder with name public_html at the left hand side of your screen. This is most often the folder containing your WordPress files. Click on it.

Edit wp-config.php file

The wp-config.php file is located right inside the public_html folder.

Right click on the wp-config.php file and select Edit

Step 3: last of all, substitute the security keys and salts with the new values you generated in step 1

Changing WP salts

And it’s that simple. You have successfully generated new secret keys and salts for your WordPress website.

But note that updating your keys & salts will invalidate any user logged in to the site, forcing them to log in again.

How to change WordPress salts automatically

There are times you may forget to update your sites security keys. To cover for this, you may automate the process. You can change WP security keys on a regular schedule using WordPress plugins for that purpose.

One of such is the Salt Shaker plugin designed by the WordPress foundation. You can Install and activate the plugin using the following steps.

Step 1: Log into your WordPress dashboard and scroll down to plugins. Click Add new

WP dashboard

Search for the salt shaker plugin using the search option at the top right corner of your screen. Then install and activate the plugin.

Salt Shaker

After activating it, visit the Tools » Salt Shaker page to set a plan and make other necessary settings.

Salt Shaker Plugin settings

Set a schedule by ticking the box and picking an option from the drop down. You may decide to change your salts keys daily, weekly, monthly, four times a year, or twice a year. There is no specific rule to this. But we recommend changing the WordPress salts and security keys monthly. You can also click on the ‘change now’ button to make an immediate change.

Henceforth, you do not need to bother about manually changing your salt keys. You have automated the process.

Other security measures to follow

The process of changing your WordPress security keys and salts already gives you an edge against hackers. However, other security measures you should incorporate are as follows:


In this article, we have explained how important salt keys are. They are particularly useful for adding an extra layer of protection to your login information.

We also showed how you can change them manually, as well as on an automatic schedule.

To improve your security, do well to reset WordPress salts from time to time. To further beef up your security, follow the additional suggestions in the section above as well as read our WordPress security guide.

More Resources: