Start FREE

WordPress Salts: What Are They, How They Work, and How to Use Them

Published 30 October 2024
Updated 7 November 2024
Daniel Dzhenev
Table of Contents

If you have been developing WordPress websites, your eyes might have wandered to the ‘WordPress salts’ section of the wp.config.php file.

Have you ever wondered what these salts are and why we need them?

If you answered ‘Yes’, then you are in the right place. In this post, you will learn everything you need to know about WordPress salts.

Let’s get started!

What Are WordPress Salts?

WordPress salts are random bits of text that are appended to user passwords and cookies before they are encrypted or hashed by WordPress security keys.

Using a modern encryption or hashing algorithm is good enough in normal scenarios. However, if a hacker steals your database, then they can ‘guess’ if the user is using a weak or common password. This is called a rainbow table attack; we have explained more about this in our post on brute force attacks

How Do WordPress Salts Work?

With the number of cyber attacks on the rise, using encryption alone is not enough to protect your data. Adding random data (salts) to your secret information will make a strong cryptographic combination that makes it harder for an attacker to guess the passwords.

This act of adding random data to information is often compared to sprinkling salt over a meal to enhance it. Therefore, in computer terminology, the act of adding random data before encrypting or hashing it is called ‘salting’. 

Let’s try to understand this with the help of an example. If your password is password123, WordPress will add a salt to it, such as !@#$%^&*, and then hash the resulting string, password123!@#$%^&*, with a security key provided by you. This hashed password will be stored in the WordPress database, and used to verify your login credentials.

When the user logs in to your WordPress site, WordPress will use the same salt and hashing algorithm to verify their password. You can find your WordPress salts in your wp-config.php file, which look something like this:

define( 'AUTH_SALT', 'random_string');
define( 'SECURE_AUTH_SALT', 'random_string');
define( 'LOGGED_IN_SALT', 'random_string');
define( 'NONCE_SALT', 'random_string');
define( 'WP_CACHE_KEY_SALT', 'random_string');

You can generate new WordPress salts and keys using the WordPress.org secret key service or using the WP-CLI, which will provide you with random and unique strings that you can copy and paste into your wp-config.php file. You should replace the default phrases, insert your unique phrase with the generated strings, and save the changes to your wp-config.php file.

How to Use WordPress Salts

WordPress automatically uses the salts and keys that are defined in your wp-config.php file to encrypt and decrypt the user passwords and cookies. You do not need to do anything for it, as WordPress handles the encryption and decryption process for you behind the scenes.

However, if you want to change your WordPress salts and keys periodically for extra security, you can use a plugin like Salt Shaker, or manually edit your wp-config.php file with new salts and keys. This is called ‘shaking the salt’, as it refreshes the encryption of your user data.

Shaking the Salt

It is possible to change these WordPress salts, however you should keep in mind that you don’t need to change these salts unless you suspect that your website has been compromised or hacked. Changing salts and keys can have some negative consequences, such as breaking some plugins or features, or logging out all users from your website. Therefore, you should only do this if you have a valid reason and you know what you are doing. 

To generate new WordPress salts and keys, and change them periodically, you can use one of the following methods:

  1. Manually generating salts: You can change your WordPress salts and keys manually by editing your wp-config.php file, which is located in the root directory of your WordPress installation. Locate the existing salt values and replace them with new text – just type anything that comes to mind. Humans are notoriously bad at coming up with random numbers. If you are in a hurry, let your cat (or small dog) walk across your keyboard and use the resulting text as your salt – it will work just as well!
  2. Use the WordPress utility: You can generate new salts and keys using the WordPress service, which will provide you with random and unique strings, and automatically update your wp-config.php file, replacing the existing ones. Just log in to your server via ssh and run the following command:
wp config shuffle-salts

Best Practices and Misconceptions 

Although it is relatively easy to access and shake salts in WordPress, there are a few things that you should keep in mind.

  1. WordPress salts are not the same as WordPress security keys. WordPress security keys are used to encrypt and decrypt the data, while WordPress salts are used to modify the data before encryption. 
  2. Keep them secret: You should never share your WordPress salts and keys with anyone, as they are used to encrypt and decrypt sensitive data on your site. If someone gets access to your salts and keys, they can compromise your site and your users’ accounts.
  3. WordPress salts do not need to be changed frequently. Some people think that regularly rotating WordPress salts will improve security, but this is false. Changing WordPress salts will only log out all users from your site – it won’t affect the existing passwords or cookies. In fact, changing WordPress salts too often can cause more harm than good, as it can create confusion and frustration for your users.
  4. WordPress salts are not a substitute for strong passwords. WordPress salts can help protect your passwords from being cracked by brute force attacks, but they cannot prevent someone from guessing your password if it is weak or common. Therefore, you should always use strong and unique passwords for your WordPress site, and encourage your users to do the same.

Conclusion

WordPress salts are a vital part of your WordPress site’s security, as they help protect your passwords and cookies from being hacked. However, WordPress salts are not enough to keep your site safe from all kinds of threats. 

That’s why you need Patchstack – the ultimate WordPress security solution that protects your site from hackers and bots.

Patchstack is a cloud-based WordPress security solution that blocks malicious traffic, scans your site for vulnerabilities, and patches them automatically. Patchstack also monitors your site’s activity, and sends you regular reports and alerts.

With Patchstack, you can rest assured that your WordPress site is secure, fast, and reliable, leaving you to focus on growing your business and audience. Patchstack works with any WordPress site, theme, or plugin, and integrates seamlessly with your existing hosting provider.

If you are serious about WordPress security, you should start using Patchstack today for FREE

The latest in WordPress how-to's

Website security

PricingFor WordPressFor WooCommerceFor agenciesFor hostsAPIDocumentationLog in

For plugin devs

Managed VDP
Log in
Active programsSecurity auditing

For researchers

Bug bounty
Log in
Guidelines
Learn
Discord

Resources

Vulnerability databaseWhitepaper 2024
Vulnerability statistics
Case studies
Articles

Patchstack

AboutCareers
Affiliates
Merch storeMedia kit

Socials

LinkedInFacebookX
Patchstack logo
© 2024 Patchstack
DPAPrivacy PolicyTerms & ConditionsCo-funded by EU logo
Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu