WordPress salts help to keep your WordPress website secure by enabling secure storage and authentication of passwords of users at your site.
WordPress Salts: Explained In Detail
WordPress salts including their companion security keys, are a cryptographic tool that helps secure the login of your WordPress site.
In particular, salts and security keys help in securing information in cookies used by WordPress for logging you in.
After you log in to your WordPress, there is an option to stay logged in and therefore, you don’t need to enter your username and password every time. For this, WordPress saves your login credentials in cookies instead of using PHP sessions.
This is very convenient for the users but it also leads to security issues if anyone tries to hijack your browser’s cookies.
Hence, WordPress salts and security keys help in securing your login information so that malicious objects can’t harm them. Consider them as “additional passwords” for your site which the malicious actor can’t guess.
Due to their importance, you shouldn’t share your WordPress salts and security keys with anyone.
The Location of WordPress Salts
By default, WordPress comprises of its own salts and security keys. You will find them in your site’s wp-config.php file. There will be total eight keys:
- The first four entries are the security keys.
- The last four entries are the WordPress salts.
Working of WordPress Salts
If your password for your WordPress site is “mypassword” (I know it isn’t a good one but it’s just for example).
While logging in, you enter your username and password. Then, WordPress will store that information in two browser cookies for you to stay logged in (you will also find this information stored in your site’s database).
But if WordPress would have stored your password simply as “mypassword” then it would have been easy for the malicious actors to crack. This is called as storing your password in plaintext and you should avoid it if you want to secure your website.
This issue is completely resolved by the use of security keys and salts by working together to cryptographically turn that plaintext password into a random jumble of characters that can’t be identified by someone without accessing your keys and salts.
With this security, even if you enter “mypassword” to log in, WordPress will convert your password into something as “mgb78a34%7832$4hgfhggfd78782^^429nsdf” for storage.
Until a person gets an access to your salts and security keys, it won’t be possible for them to translate that random jumble of characters into your actual password.
Is It Required to Change Your WordPress Salts and Security Keys?
New WordPress installations come with their own set of keys and salts by default, so your WordPress site is already secure and there isn’t any action required to be taken from your side.
But you should consider changing your salts and keys on a periodic basis for some of the reasons.
When you periodically change your keys and salts, you make it even tough for a malicious actor to get an access to your salts.
Moreover, when you change your salts all the logged-in users will get automatically logged out and the site will force them to log in again, which is another key benefit. Suppose you accidentally log in on a public computer and forget to log out, changing salts will force log out that account to ensure that no one can get an access to the same.
Changing Your WordPress Salts
There are two methods to change your WordPress Salts as below:
- Editing Your wp-config.php File Manually
- Using a Free Plugin
Steps to Change Your Salts by Editing Your wp-config.php File Manually
For this method, you’ll need to connect to your site’s server using FTP and edit your wp-config.php file.
After you get connected, go to the official WordPress.org salt generator. This page will randomly generate salts and security keys for you, just as mentioned above. Ensure that it has generated the four security keys plus four salts (eight total):
Now, delete the existing keys in your wp-config.php file and replace them by pasting the keys from the WordPress.org salt generator:
After this, it should appear similar as before — just the random character strings will be different.
Ensure that you save your changes and re-upload your wp-config.php file if needed.
Steps to Change Your Salts Using a Free Plugin
You can also change your site’s salts using a plugin.
The Salt Shaker plugin is a popular free option for this.
It is possible to set it up such that it automatically changes your salts on a schedule defined by you. Or, you it can be just used manually to change salts.
After installing and activating the plugin, go to Tools → Salt Shaker.
Now to manually change your salts right away, just click the Change Now button.
Or the Scheduled Change feature can also be used to automatically change your salts on one of the following schedules:
- Quarterly (every three months)
- Biannually (every six months)
WordPress salts and security keys help in securing your site’s login process and the cookies that WordPress uses to authenticate users.
By default your WordPress site includes its own set of salts and keys, so you don’t need to set anything up get the benefits from salts.
But, you can have security benefits by periodically changing your salts to make it even tough for malicious actors to access them.
For changing your salts, you can use the WordPress.org salt generator and manually edit your wp-config.php file or you can use a free plugin like Salt Shaker.