WordPress Salts & Security Keys

WordPress uses cookies (or information stored in your browser) to verify the identity of logged in users and commenters, so WordPress also includes secret authentication security keys and salts in the wp-config.php file. Essentially, these WordPress security keys are additional passwords for your site that are long, random and complicated—so they’re nearly impossible to break.

What is a WordPress Salt?

A WordPress salt is a random string of data that hashes the WordPress security keys in the wp-config.php file.

If you open your wp-config.php file, you’ll see the Authentication Unique Keys and Salts section with seven security keys.

WordPress salt

More Information on WordPress Security Keys & Cookies

If you want to dig in a bit more to the technical explanations of WordPress secret keys and salts, here are a few helpful resources:

How to Change Your WordPress Salts

Updating your WordPress security keys on a regular basis is a great way to harden your WordPress site. While the keys are extremely difficult to break, changing them every so often adds another layer of complexity.

Note: Updating your keys & salts will force all logged in users to log in again, because changing them automatically invalidates the login of any user logged in to the site. For example, if you have any suspicions of a hack, updating your security keys and salts will force the logout and reauthentication of all logged in users.

There are two ways to change your WordPress salts and keys:

  1. Manually change the security keys in the wp-config.php file
  2. Use a plugin to change your WordPress salts, like iThemes Security

How iThemes Security Makes it Easy to Update Your WordPress Salts & Keys

The iThemes Security plugin makes updating your WordPress keys and salts easy in two ways:

  1. You get a reminder every 30 days to update your keys and salts – iThemes Security will send you a dashboard reminder to update your keys and salts so you never forget.
  2. You can update your keys and salts straight from your WordPress dashboard – iThemes Security allows you to update your keys and salts from within the plugin, so there’s no more having to manually generate a new set of keys and edit your wp-config.php file.

update-wordpress-keys-salts

Within the iThemes Security dashboard, click on the Advanced tab. On this screen, you’ll see the WordPress Salts section. Click the option to Change WordPress Salts and then click the Change WordPress Salts button. That’s it! iThemes Security will go to work updating your keys and salts for you. Just note that updating your keys & salts will force all logged in users to log in again.

Learn more about iThemes Security Pro