The latest version of iThemes Security includes a new time-saving security feature: the ability to easily change WordPress security keys and salts. To take advantage of this new feature, you’ll need to be running iThemes Security v4.6+ or iThemes Security Pro v1.14+.
You’ll find the latest versions available as an automatic update from the WordPress dashboard (for free and licensed Pro sites) or as a manual download from the iThemes Member Panel (for Pro users).
A Brief Overview of WordPress Keys & Salts
To understand WordPress keys and salts, we first need to go over cookies. WordPress uses cookies (or information stored in your browser) to verify the identity of logged in users and commenters.
To better protect and ensure encryption of the login information stored in your WordPress cookies, WordPress includes secret authentication keys and salts in your wp-config.php file. Essentially, these are additional passwords for your site that are long, random and complicated—so they’re nearly impossible to break.
If you want to dig in a bit more to the technical explanations of cookies, secret keys and salts, you can check out these resources:
Changing Your Keys Every Now & Then Adds An Extra Layer of Ongoing Protection
Updating your keys and salts on a regular basis is another way to harden WordPress. Again, while the existing keys are extremely difficult to break, changing them every so often adds another layer of complexity.
Updating your keys & salts will force all logged in users to log in again, because changing them automatically invalidates the login of any user logged in to the site. For example, if you have any suspicions of trouble, updating your keys and salts will force the logout and reauthentication of all user logins. If someone with higher-level access to your site accidentally clicks “remember me” in their browser (say on a public computer), no unauthorized user will be able to gain access to the site due to information stored in the same browser.
How to Change Your WordPress Keys & Salts – The Manual Method
Before this update to iThemes Security, updating your keys and salts required you to manually edit your wp-config.php file. Here’s an explanation of what’s involved in making this change on your own:
1. As always, before you make any changes to important core files on your site, make a backup of your site with BackupBuddy. With BackupBuddy, you can even easily restore a single file, so you don’t have to worry if something goes wrong while making this edit.
2. Using an FTP client, open your wp-config.php file and locate the Authentication Unique Keys and Salts section.
3. Generate new keys using this secret key and salts generator from the WordPress API. Copy the new keys information from the generator.
4. Paste the new information into your wp-config.php file to overwrite the existing set. Save the file.
How iThemes Security Makes it Easy to Update Your WordPress Keys & Salts
iThemes Security makes updating your WordPress keys and salts easier in two ways:
- You get a reminder every 30 days to update your keys and salts – iThemes Security will send you a dashboard reminder to update your keys and salts so you never forget.
- You can update your keys and salts straight from your WordPress dashboard – iThemes Security allows you to update your keys and salts from within the plugin, so there’s no more having to manually generate a new set of keys and edit your wp-config.php file.
Update Your Keys & Salts with Two Clicks
Within the iThemes Security dashboard, click on the Advanced tab. On this screen, you’ll see the WordPress Salts section. Click the option to Change WordPress Salts and then click the Change WordPress Salts button.
That’s it! iThemes Security will go to work updating your keys and salts for you. Again, note that updating your keys & salts will force all logged in users to log in again.
Also—here’s a shoutout to our favorite office beach bum, Gerroald Barron, for his work as a new contributor on this feature. Way to go, Gerroald!
Get iThemes Security Pro
With iThemes Security Pro, you get great additional features to secure your WordPress site, including:
- Two-Factor Authentication – Easily add two-factor authentication to your WordPress site with Google Authenticator and iThemes Security Pro.
- Scheduled Malware Scanning – Get peace of mind knowing you have scheduled scans of your WordPress sites. iThemes Security will let you know if anything malicious is detected.
- reCAPTCHA – Integrate Google’s new reCAPTCHA with your WordPress site to add an extra layer of protection to your WordPress login pages.
- And lots more! Check out all the iThemes Security Pro features.
Kristen has been writing tutorials to help WordPress users since 2011. As marketing director here at iThemes, she’s dedicated to helping you find the best ways to build, manage, and maintain effective WordPress websites. Kristen also enjoys journaling (check out her side project, The Transformation Year!), hiking and camping, step aerobics, cooking, and daily adventures with her family, hoping to live a more present life.
I’m not entirely sure I understand all the complexities of the keys and salts, but I get that changing them occasionally is a good strategy. So, why not just have the plugin refresh them every 24 hours? Why does it need to be done manually? My sites aren’t membership sites likely to have logged-in users… I use WordPress on about 60 sites as a simple CRM and web publishing engine. So, logging out users is no concern to me. Having a hardened site *is*. So, that said, I guess I’m left wondering why there isn’t an automated interval refresh on these fundamental security items.
Hi Michael, we consider this feature as an “advanced” setting, because it does immediately log all users (including admins) out of the site. While we did consider adding a scheduling functionality, it’s important that this update is manually done so you can be prepared to be logged out. Our best solution to scheduling was the 30-day reminder in the dashboard. Keep in mind the salts and keys provided by default in your wp-config.php file are extremely difficult to break, given their length and complexity. This feature, like we mentioned above, is meant to be a time-saving feature so you don’t have to manually generate new keys and update your wp-config.php file on your own.