WordPress Salts – What They Are and How to Use Them

WordPress Salts - What They Are and How to Use Them

The vulnerability of a WordPress blog or website can be as a result of outdated WP versions, using nulled themes and plugins, not changing your WordPress salts and keys, among other reasons.

Whatever you need to do to patch up all loose ends on your website, please do. Here’s why: WordPress currently powers more than 35% of all websites on the internet and has become a major target for malicious hackers.

Hundreds of thousands of login credentials are stolen by brute force attackers, every year😥. This is the main reason why you should take WordPress security very seriously. Changing your WordPress salts is one step in the right direction.

In this article, we’ll focus on WP salts: what they are, their benefits, and how to utilize them for your site’s security.

All you need to know about WordPress salts will be discussed under the following headings:

  1. What are WordPress Salt Keys?
  2. Why you should change them regularly
  3. How to generate and change WordPress salts manually
  4. How to change WordPress salts automatically
  5. Other security measures to follow
  6. Conclusion

What are WordPress Salt Keys?

WordPress Salt keys are a random string of data that ‘hides’ the login credentials stored in your browser’s cookie. They are cryptographic elements used to encrypt your data for security reasons.

Each time a user logs in to a website, the login details are stored in a small file called a ‘cookie’. And as long as the cookie is valid, a user can access the site without inputting the login details.

However, a malicious hacker can steal this vital information (stored in the cookie). For this reason, you need WP Security keys and Salts to encrypt your details.

WordPress salts and security keys

The inclusion of WordPress security keys and salt keys prevents your WP password from appearing as a comprehensive text.

Instead of a simple password like ‘wordpass’, an attacker may see a long string of text like ‘198hdms4v5g9e0j2qlu3j6kf6f94j9n4w90ks’. It would be almost impossible for him to crack.

That said, it is crucial to change your WordPress security keys regularly and never share them with a third party.

Why you should change them regularly

Already, we know that WordPress security keys and salts are measures against brute force attacks. Thus, changing them on a regular basis helps beef up security even more.

The process of changing these keys automatically removes all logged-in users of your website. They will have to log in again. It’s like a site-wide reset.

This measure is particularly beneficial in a situation where you already have a logged-on hacker. When the keys are changed, he would no longer have access to your site. You can wear out any potential attacker with this technique.

There are two ways of changing WordPress security keys and salts: Manually and Automatically.

How to generate and change WordPress salts manually?

Generating WordPress salts using the manual method is as easy as one-two-three. It involves three major steps. The first step is to generate WordPress salts.

The next is to locate wp-config.php file (this config file contains your website’s configuration details).

Finally, paste the generated keys in the wp-config.php file. The three steps are described below in greater detail.

Step 1: Generate the keys by visiting this weblink. You will see a set of randomized variables on your screen.

Generate WordPress salts

You don’t need to understand what you see, just copy the values on your screen. Then, paste them into your wp-config.php file.

Step 2: This step will teach you how to access the wp-config.php file. The file is located in the root of your WordPress directory.

Information within the wp-config.php file includes database names, database host, usernames, and passwords.

To locate this file, login to your cPanel (contact your WebHost for access details). When in, click File Manager.


There is a folder with the name; public_html on the left-hand side of your screen. This is most often the folder containing your WordPress files. Click to open it.

Edit wpconfig.php file

Scroll to find the wp-config.php file inside the public_html folder. If you prefer nor to use cPanel to get this file, You can use FTP.

Right-click on the wp-config.php file and select Edit

Step 3: Last of all, substitute the security keys and salts with the new values you generated in step 1

Changing WP salts

It’s that simple. You have successfully generated new secret keys and salts for your WordPress website.

But note that updating your keys & salts will invalidate any user logged in to the site, forcing them to log in again.

How to change WordPress salts automatically

There are times you may forget to update your site’s security keys. To cover for this,  automate the process.

You can change WP security keys on a regular schedule using WordPress plugins designed for that purpose.

One of such is the Salt Shaker plugin created by the WordPress foundation. Install and activate the plugin using the following steps.

Step 1: Log into your WordPress dashboard and scroll down to plugins. Click Add New.

WP dashboard

Search for the Salt Shaker plugin using the search option at the top right corner of your screen. Then click Install and Activate.

Install and activate plugin

After activating it, open Tools » Salt Shaker page to set a plan and make other necessary settings.

Salt Shaker Plugin settings

Set a schedule by ticking the box and selecting an option from the drop-down. You may decide to change your WP salts keys daily, weekly, monthly, four times a year, or twice a year.

There is no specific rule to this. But, we recommend changing the WordPress salts and security keys monthly. You can also click on the ‘Change Now’ button to change them immediately.

Henceforth, you do not need to bother about manually changing your WP salt keys. You have automated the process.

Other security measures to follow

The process of changing your WordPress security keys and salts already gives you an edge against hackers. However, other security measures you should incorporate are as follows:


In this article, we have explained how important WP salt keys are. They are particularly useful for adding an extra layer of protection to your login information.

We also showed how you can change them manually, as well as on an automatic schedule.

To improve your security, do well to reset WordPress salts from time to time. To further beef up your security, follow the additional suggestions in the section above as well as read our WordPress security guide.

More Resources: