Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

Easily Change WordPress Security Keys & Salts with iThemes Security

Written by Kristen Wright on January 21, 2015

Last Updated on September 6, 2022

The latest version of iThemes Security includes a new time-saving security feature: the ability to easily change WordPress security keys and salts. To take advantage of this new feature, you’ll need to be running iThemes Security v4.6+ or iThemes Security Pro v1.14+.

You’ll find the latest versions available as an automatic update from the WordPress dashboard (for free and licensed Pro sites) or as a manual download from the iThemes Member Panel (for Pro users).

A Brief Overview of WordPress Keys & Salts

To understand WordPress keys and salts, we first need to go over cookies. WordPress uses cookies (or information stored in your browser) to verify the identity of logged in users and commenters.

To better protect and ensure encryption of the login information stored in your WordPress cookies, WordPress includes secret authentication keys and salts in your wp-config.php file. Essentially, these are additional passwords for your site that are long, random and complicated—so they’re nearly impossible to break.

If you want to dig in a bit more to the technical explanations of cookies, secret keys and salts, you can check out these resources:

  • The WordPress Codex – Security Keys
  • The WordPress Codex – Cookies
  • SSL and Cookies in WordPress 2.6

Changing Your Keys Every Now & Then Adds An Extra Layer of Ongoing Protection

Updating your keys and salts on a regular basis is another way to harden WordPress. Again, while the existing keys are extremely difficult to break, changing them every so often adds another layer of complexity.

Updating your keys & salts will force all logged in users to log in again, because changing them automatically invalidates the login of any user logged in to the site. For example, if you have any suspicions of trouble, updating your keys and salts will force the logout and reauthentication of all user logins. If someone with higher-level access to your site accidentally clicks “remember me” in their browser (say on a public computer), no unauthorized user will be able to gain access to the site due to information stored in the same browser.

How to Change Your WordPress Keys & Salts – The Manual Method

Before this update to iThemes Security, updating your keys and salts required you to manually edit your wp-config.php file. Here’s an explanation of what’s involved in making this change on your own:

1. As always, before you make any changes to important core files on your site, make a backup of your site with BackupBuddy. With BackupBuddy, you can even easily restore a single file, so you don’t have to worry if something goes wrong while making this edit.

2. Using an FTP client, open your wp-config.php file and locate the Authentication Unique Keys and Salts section.
wordpress-keys-salts
3. Generate new keys using this secret key and salts generator from the WordPress API. Copy the new keys information from the generator.

wordpress-keys-salts-generator

4. Paste the new information into your wp-config.php file to overwrite the existing set. Save the file.

How iThemes Security Makes it Easy to Update Your WordPress Keys & Salts

iThemes Security makes updating your WordPress keys and salts easier by allowing you to do so from your WordPress dashboard. There’s no more having to manually generate a new set of keys and edit your wp-config.php file.

Update Your Keys & Salts with Two Clicks

Within the iThemes Security dashboard, click on the Tools icon in the lower left cover of the menu. Locate the Change WordPress Salts section then click the Run button.

That’s it! iThemes Security will go to work updating your keys and salts for you. Again, note that updating your keys & salts will force all logged in users to log in again.

Get iThemes Security Pro

With iThemes Security Pro, you get great additional features to secure your WordPress site, including:

  • Two-Factor Authentication – Easily add two-factor authentication to your WordPress site with Google Authenticator and iThemes Security Pro.
  • reCAPTCHA – Integrate Google’s new reCAPTCHA with your WordPress site to add an extra layer of protection to your WordPress login pages.
  • And lots more! Check out all the iThemes Security Pro features.
Kristen Wright
Kristen Wright

Kristen has been writing WordPress tutorials since 2011. Kristen also enjoys journaling, hiking and camping, step aerobics, cooking, and daily adventures with her family, hoping to live a more present life.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
Turnstile and hCaptcha
New Turnstile and hCaptcha Support in Security Pro 7.3
WordPress White Screen of Death
The WordPress White Screen of Death: A Guide to Recovery

What is a Website Firewall? WAFs and Other Firewalls Explained
LastPass Security Breach
The LastPass Security Breach: How to Protect Yourself

Comments

  1. michael hamilton says:
    January 22, 2015 at 12:13 pm

    I’m not entirely sure I understand all the complexities of the keys and salts, but I get that changing them occasionally is a good strategy. So, why not just have the plugin refresh them every 24 hours? Why does it need to be done manually? My sites aren’t membership sites likely to have logged-in users… I use WordPress on about 60 sites as a simple CRM and web publishing engine. So, logging out users is no concern to me. Having a hardened site *is*. So, that said, I guess I’m left wondering why there isn’t an automated interval refresh on these fundamental security items.

    Reply
    • Kristen Wright says:
      January 22, 2015 at 2:03 pm

      Hi Michael, we consider this feature as an “advanced” setting, because it does immediately log all users (including admins) out of the site. While we did consider adding a scheduling functionality, it’s important that this update is manually done so you can be prepared to be logged out. Our best solution to scheduling was the 30-day reminder in the dashboard. Keep in mind the salts and keys provided by default in your wp-config.php file are extremely difficult to break, given their length and complexity. This feature, like we mentioned above, is meant to be a time-saving feature so you don’t have to manually generate new keys and update your wp-config.php file on your own.

      Reply

Respond

Click here to cancel reply.

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Visit StellarWP Visit Nexcess
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap