When it comes to protecting your WordPress website, the login screen is an important line of defense. A significant part of this is making sure your password is secure, which makes it far less likely that attackers will be able to crack it and gain access.
WordPress uses something called ‘salt’ keys to protect your passwords. With these keys, your password is kept safe, so attackers can’t use them even if they gain access to your data. In this article, we’re going to talk about what salt keys are and how WordPress uses them. We’ll then teach you two ways to change yours, including using the Salt Shaker plugin.
Let’s get to work!
What Salt Keys Are (And How They Work in WordPress)
WordPress salt keys help protect your password from attackers.
Salt keys are cryptographic elements used to ‘hash‘ data in order to secure it. In fact, most serious platforms and systems use similar mechanisms to protect sensitive data. The process works by using the salt keys to encrypt your password when you save it in WordPress. This way, attackers can’t see your passwords in plaintext even if they somehow gain access to your database.
Salt keys are also used to sign your website’s cookies. This stops malicious actors from being able to gain access even if they can take over your cookies. All of this happens in the background, and there are zero reasons why you’d ever need to share your WordPress salt keys with a third party. If someone were to get their hands on them, they’d might be able to use them in order to access your passwords and crack your website.
For this reason, we recommend you change your WordPress salt keys from time to time to mitigate risk. However, WordPress doesn’t include any features that enable you to do this out of the box, which means you need to know how do it on your own. Let’s take a look at how you can do this now.
How to Change Your WordPress Salt Keys (And Why You Should)
How often you change your WordPress salt keys depends on you. Once or twice every year should be more than enough to keep things safe. However, if you want to be extra careful, you might want to change your keys every couple of months. It’s important to note that every time your salt keys are changed, all user accounts will be logged out, including your own. This can be a minor hassle, but it helps protect you in case an account has been compromised due to cookies.
We’re now going to show you two methods you could use to update your salt keys. You can either do it manually by editing a WordPress core file, or use a plugin to automate the process. Either way, we recommend that you create a backup of your site beforehand, just in case.
Change Your Salt Keys Manually
WordPress stores your salt keys as strings of numbers, letters, and symbols within the wp-config.php file. To change them manually, you’ll need to update them in this file. To do this, you’ll need to log into your website via FTP, using a client such as FileZilla. Once you’re in, navigate to your WordPress root folder, which is usually named public_html, www, or the same as your website:
Inside this folder, you’ll find the wp-config.php file. Right-click on it and choose the option that says View/Edit. This will download a copy of the file to your computer and open it using your default text editor. Use your text editor’s search feature to locate the line that reads ‘Authentication Unique Keys and Salts’, as seen below:
There are some instructions in the form of comments on how to update your keys at the top. Right below, you’ll find eight lines including all your security keys and salts. To replace them, you’ll need to generate a new set of keys, which you can do through the WordPress API. Just visit this link and the platform will generate a new set of unique keys you can use, like this:
All you have to do now is take your new keys and replace your existing ones within the wp-config.php file. You can either copy and paste the keys one by one, or replace the entire section. If you do this correctly, your website’s functionality won’t be affected by this change. The only change you’ll notice is you’ll need to log into your account again once you update your salts, as will all your users.
Once you’ve replaced your keys, save the changes to the wp-config.php file and close it. FileZilla will now ask you if you want to replace your existing wp-config.php file with the version you just edited. Choose the Yes option, after which you can go right ahead and log back into your website.
Use the Salt Shaker Plugin
The Salt Shaker plugin can help you simplify the process even further. With this plugin, you can automate the entire process of changing your salt keys. Furthermore, the plugin even enables you to schedule automatic changes to your salt keys on a regular basis.
To use the plugin, you’ll need to install and activate it first. Once that’s done, a new Salt Shaker option will show up in your dashboard under the Settings tab. Inside, you’ll find two options. The first of these enables you to schedule changes to your WordPress salt keys. You can choose to switch them daily, weekly, or monthly:
In most cases, daily changes are overkill since you’d be forcing all your users to log out. As such, we only recommend daily changes if your website isn’t open for registration and you want it to be as secure as possible. For regular scenarios, we think monthly changes are the best option.
Once you set your schedule, the plugin will automatically update your salt keys at the set interval. If you don’t want to automate the process, or if you want to change them right away, you can instead click on the Change Now button.
This will immediately change your salt keys, after which WordPress will prompt you to log back in. As with the manual method, you won’t notice any difference after doing this and you’ll be able to use your dashboard as normal.
Conclusion
Storing passwords in plaintext is always a bad idea, and that’s where salt keys come in. WordPress uses unique salt keys to secure your passwords, which stop attackers from accessing your passwords even if they were to gain access to your database. You can ensure that these are even more secure by changing them regularly.
There are two ways you can go about changing your WordPress salt keys:
- Change your keys manually by modifying your wp-config.php file.
- Use the Salt Shaker plugin.
Do you have any questions about how to update your WordPress salt keys? Let’s talk about them in the comments section below!
Article image thumbnail by Sin314 / shutterstock.com
Please explain why I need to change my salts?
If I have very secured passwords, then changing them does what exactly? If I don’t, then that is the issue.
If you are telling me someone is hammering my system for years trying to crack the pass, then the need to monitoring.
G%7_2fVh#*5{ brute force medium sized botnet 2 thousand years
I don’t change the locks on my house or car yearly, so why my website?
It’s too bad that you can’t set it to run at a certain time of day. It would be nice to know that it doesn’t stand the risk of knocking a client offline while they’re in the middle of making edits/updates.
I’d seen mentions of it in the iThemes Security plugin as well, with the option of changing them in there. Now that I know what they’re used for I’m more confident to change them from within their plugin rather than install another one like Salt Shaker. Thanks for the article.
Did anybody make sure there is no backdoor for NSA and the likeß
The NSA backdoor nowadays is inside your CPU and is called “Spectre” and “Meltdown”, or at least “UEFI-BIOS”.
Excellent article. I haven’t heard about Salt keys in security articles for a very long time, and it was good to be reminded of this WordPress feature and the need to to periodically change them. I didn’t know about the plug-in, so thanks.
Great article! Very informative. I’m going to give the plugin a shot for all my clients 🙂 Thanks, John!