Updated: 24 May, 2023

WordPress Salts Explained And Why They Matter For Web Security

from patchstack

WordPress is a popular CMS, and as a result, hackers and attackers frequently target it. There are many ways to strengthen the security of your WordPress site, but one of the most crucial ones is to safeguard it by choosing a secure password.

Weak passwords can pose a severe security risk, but WordPress provides WP Salts and Keys, which can give an additional layer of protection to the login information on your website and are virtually impossible for hackers to figure out.

Before using WordPress Salts, it would be good to understand what WordPress Salts are & how it works. So, in this article, you will learn everything you need to know about WordPress Salts, including its purpose, where it is located, and changing WordPress Salts to improve the site’s security. 

What are WordPress Salts?

WordPress salts are secret password-protecting keys that help you protect your login credentials by encrypting them into a hash format.

If you enter your WordPress login credentials and access the dashboard, you will notice that you can stay logged in. So here, your WordPress site saves your password in the browser cookies, so you won’t need to log in again to access your backend. 

Without a doubt, it saves time, but it could also pose a security risk if your browsers are compromised. However, there is no need to fear because WordPress Salts encrypts the password into a hash format.

How do WordPress Salts work?

Now that you know what WordPress Salts are, let’s look at how they might benefit your website. Here we’ll give some examples to help you understand. 

For instance, if you set “pathstack123” as your login, the WordPress Salts would encrypt it into a random hash string like “AE#4%KRX>>5SUT” and save it to your browser’s cookies. And the hacker would find it nearly impossible to decrypt its encrypted format, updating your WordPress Salts from time to time is a good way to improve the security of your website. 

Another scenario is when you log in to your site from several browsers and devices and you get the feeling that your password is readily guessable or could be utilized. In such a case, you can alter your WordPress Salts, and it will immediately log out all users from all browsers.

Why use Salt Keys in your WordPress?

Here are some reasons why you should use Salt Keys in your WordPress site:

1. It adds an additional layer of security to your WordPress login password.

2. It encrypts your password, preventing access by hackers.

3. It safeguards the Backend and Dashboard of WordPress.

4. It makes passwords more difficult to crack and the use of cookie data more difficult.

5. You benefit if you frequently log in using numerous devices and run the danger of having your login information stolen.

Where are WordPress Salts located on your website?

Every new WordPress installation includes certain default WordPress Salts.

There are two types of Keys:

  1. Upper 4 Keys are AUTH KEYS
  2. Lower 4 Keys are SALT KEYS

In most cases the salt keys are located in the  “wp-config.php” file that’s in the root folder of your website. Here’s the location: “/applications/mxrtnbhrct/public_html/wp-config.php” directory.

If you are not seeing your Salt Keys in your wp-config.php file, then you can check the wp-salt.php file that is probably defined in your wp-config.php file.

So, in my case, the WordPress Salts are located in the “/applications/mxrtnbhrct/public_html/wp-salt.php” directory.

Note: Salt Keys are very sensitive, so don’t share them with anyone. It will create a security threat for your WordPress site.

How to change your WordPress Salts (two methods)

It is essential to keep updating your WordPress Salts periodically. Here, we have covered two quick methods to easily change your WordPress Salts.

  1. Manual Method (Edit WP-CONFIG.PHP or WP-SALT.PHP File)
  2. Plugin Method (iThemes)

So, let’s get started!

Method # 1. How to change your WordPress Salt via manual method

This is a manual method where we will access the WordPress files and then change them manually it’s recommended you take a backup for your WordPress files in case something goes wrong.

Adding the new WordPress Salts via manual method is easy and can be done in four simple steps.

Step 1: Download an FTP client like FileZilla

First, you need to download the FileZilla client to access your web files. If you already have it, then you can skip this step else. You can download it from their official site. Downloading it and running the installation process on your local desktop will take a few minutes.

I’ve downloaded and installed a free version that provides enough features to do our job.

Step 2: Generate new WordPress Salts

Now, you need to generate new WordPress Salts from the Salt Keys API. When you visit the Salt Keys API page, then you will see the new Keys, and when you refresh the page then again the new keys will be generated.

Simply copy the entire keys in a safe place, so we can use them later to replace them with the existing keys.

Step 3: Access your web files and edit your WP-CONFIG.PHP or WP-SALT.PHP file

Next, you need to add your server credentials to connect via FileZilla and access your site files. 

First, you need to check where your WordPress Salts are located. It may be located in your wp-config.php or wp-salt.php file. 

In our case, the WordPress Salts are located in the wp-salt.php file, and it’s defined in the wp-config.php as require(‘wp-salt.php’);. This means the wp-config.php files call out the file wp-salt.php for the authentication so it’s just an extra step for a security measure.

Step 4: Add new WordPress Salts to your site

Now, edit your wp-config.php or wp-salt.php file and replace it with the new WordPress Salts that you copied from the Salt Keys API.

Once you add the new WordPress Salts, save or upload it to your root directory.

Method # 2 how to change your WordPress Salts via plugin method

Changing your WordPress Salts via a plugin is an excellent alternative if you are not comfortable using the first method (Manually).

WordPress offers flexibility to its users where they can easily change or add functions via plugins, so we have numerous plugins out there. Still, we will do it with the iThemes security plugin.

Note: Recently, we have partnered up with iThemes to provide early warnings about potential vulnerabilities in WordPress sites.

Step 1: Download the iThemes plugin

Navigate to your WordPress Dashboard > Plugins > Add New > search for iThemes Security > click Install Now & Activate.

Step 2:  Change WordPress Salts With iThemes

Once you finish the iThemes Security Setup then, go to Security > Settings > Tools > Change WordPress Salts and click Run.

Once the WordPress Salts have been changed, then a “The WordPress salts were successfully regenerated.” message will be displayed.

Wrapping it up

To safeguard your websites from risks to password security, we hope this guide has assisted you in updating and changing your WordPress salts. Here, we’ve covered two simple techniques that you may use to quickly add the new WordPress salts to your website: a manual process and a plugin.

If you suspect that your site passwords have been compromised or if you unintentionally forget to log out of your WordPress site from another computer or location, it’s a good idea to update your WordPress Salts frequently.

Share This Article
Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.