How to Generate WordPress Salts & Security Keys: Step by Step Instructions

What are WordPress salts and security keys?

In the realm of WordPress security, there’s a powerful tag team working tirelessly behind the scenes to safeguard your website’s login process. Meet salts and security keys, the cryptographic wonders responsible for protecting the sensitive information housed within the cookies that WordPress depends on for authentication.

Think about it: when you log into your WordPress site and opt to stay logged in, you’re spared the inconvenience of re-entering your credentials during every visit. While this streamlined process undoubtedly enhances the user experience, it also exposes your site to potential risks, such as cookie hijacking.

That’s where our allies, salts and keys, leap into action. These two elements collaborate to reinforce your website’s defenses, creating a barrier that keeps hackers at bay.

In this blog post, we’ll delve into the critical role of WordPress salts and keys, shedding light on how they work and how to generate new ones to harden your website’s security.


What are WordPress salts?

In the world of WordPress, salts (and their trusty sidekicks, security keys) play a vital role in ensuring the safety of your website’s login process. These cryptographic tools work to safeguard the information contained within the cookies that WordPress relies on for authentication.

You know how it is — you log into your WordPress site and opt to stay logged in, saving you the hassle of re-entering your credentials every time. This convenience is made possible by WordPress storing your login data in cookies, as opposed to using PHP sessions.

While this undoubtedly makes life easier for users, it also presents a potential security risk: cookie hijackers. This is where our heroes, salts and keys, step in to save the day. Picture these guys as extra layers of protection for your site, creating a barrier that makes it harder for bad actors to compromise your website.

Given their crucial role in the security of your WordPress site, it’s absolutely paramount that you never share your WordPress salts and security keys: always keep them a closely guarded secret. Sharing them would be akin to handing over the keys to your digital kingdom, and that’s something you simply can’t afford.

How do WordPress salts work?

Picture this: you’ve set up your WordPress site and decided to use the password SuperSecurePassword!@#$ (I know, dreadful choice, but bear with me for the sake of illustration).

Upon logging in, you provide your username and password which WordPress then saves in a pair of browser cookies to keep you logged in (it’s also tucked away in your site’s database).

Now, if WordPress were to store your password exactly as it is — SuperSecurePassword!@#$ — that would be akin to inviting malicious actors to waltz in and create chaos. Saving passwords in plaintext is a major security faux pas.

Enter the dynamic duo of security keys and salts. These elements join forces to cryptographically convert your plaintext password into a hash — a long, random assortment of characters that cannot be decrypted even if you know the keys and salts.

So, even though you submitted SuperSecurePassword!@#$ to log in, WordPress will transmogrify it into something resembling something like $P$BoEW/AhdCyQQv/J1kTwSQmRazzv7290 for storage purposes. Furthermore, using the same password on a different site will produce an entirely different hash string.

In a nutshell, it would be virtually impossible for someone to decode these seemingly random strings of characters and uncover your actual password.

Where are WordPress salts located?

Let’s start by understanding where WordPress stores these security keys and salts.

By default, WordPress has its own set of keys and salts, located in your website’s wp-config.php file. When you open this file, you should be able to spot eight entries in total:

  1. The first four entries represent your security keys.
  2. The following four entries correspond to your WordPress salts.

These entries should look something like this in wp-config:

define('AUTH_KEY',         'your_auth_key_here');
define('SECURE_AUTH_KEY',  'your_secure_auth_key_here');
define('LOGGED_IN_KEY',    'your_logged_in_key_here');
define('NONCE_KEY',        'your_nonce_key_here');
define('AUTH_SALT',        'your_auth_salt_here');
define('SECURE_AUTH_SALT', 'your_secure_auth_salt_here');
define('LOGGED_IN_SALT',   'your_logged_in_salt_here');
define('NONCE_SALT',       'your_nonce_salt_here');

Remember, these are just examples; your actual keys and salts will be unique strings of random characters like $P$BoEW/AhdCyQQv/J1kTwSQmRazzv7290.

Generating new salts and security keys for WordPress

New WordPress installations automatically generate new keys and salts during the setup process, providing a secure foundation without any extra effort on your part.

Nevertheless, it’s prudent to periodically change your salts and keys to further increase your security. It will make it even more challenging for hackers to access your site.

You can change your WordPress salts and keys by leveraging the official WordPress salt generator and the instructions below.

How to generate new WordPress salts and keys:

  1. Connect to your site’s server using your favorite sFTP client.
  2. Locate and edit the wp-config.php file located in the root directory of your WordPress installation.
  3. Visit the official salt generator to create new keys and salts. It will generate eight strings in total: four security keys and four salts.
  4. Replace the existing keys and salts in your wp-config.php file with the newly generated strings.
  5. Save your changes and re-upload your wp-config.php file if necessary.

Updating your salts also automatically logs out all users, requiring them to sign in again. This can be used as an added layer of protection, especially in instances where you unintentionally leave your account logged in on a public computer.

How often should I change my salts and keys?

Regularly updating your keys and salts is a good security practice — we recommend at least once every three months. When you change these values, all users will be logged out of your site. That’s because their cookies, now encrypted with a different key and salt, will be invalid. This can be particularly useful if you suspect a security breach.


Understanding and managing your salts and security keys is a crucial aspect of maintaining a secure WordPress website. By implementing these best practices, you’ll be well on your way to protecting your site against potential threats like cookie hijacking and unauthorized access.

Remember to periodically change your salts and keys to enhance your site’s security further. And always keep them private to prevent unauthorized access!

By staying proactive and vigilant, you’ll be better prepared to defend your website against bad actors. And if you’re looking for additional ways to harden your WordPress website, consider employing a web application firewall to protect your site against bad bots, DDoS attacks, and brute force!

You May Also Like