Home / Blog / How To / 3 Ways To Change WordPress Security Keys And Salts

3 Ways To Change WordPress Security Keys And Salts

One of the most important factors in securing a website is making sure that your passwords are protected. WordPress security keys, also known as WordPress salts and WordPress secret keys. It can add an extra layer of protection to your site’s login password. These WordPress security keys and salts encrypt your login credentials to make it harder for hackers to generate enough options to break your site’s security barriers.

Want to learn more about WordPress security keys and salts?

In this article, we will discuss what are WordPress security keys and salts, why you should use them, etc. At the very end, we’ll show you how to change them.

What are WordPress Security Keys and Salts?

WordPress security keys and salts are cryptographic tools that help secure your WordPress site’s login. They are almost equivalent to passwords. Since both protocols make your website less vulnerable to security threats, they are quite similar.

Where a security key is a password containing a random, long and complicated set of variables that improve encryption, making it almost impossible to crack your password. Salts are random strings of data that protect the four security keys WordPress uses. That’s the reason, WordPress uses both of them together so that they can encrypt a message using alpha-numeric and special characters and use the same key to de-encrypt the information back to plain text.

Currently, WordPress uses four security keys, each with salt, to boost your website’s security. You will find them in the wp-config.php file, located in the root folder. Here are those four:

• AUTH_KEY – Used to sign the authorizing cookie for the non-SSL. These cookies can be used to make changes on the site.
• SECURE_AUTH_KEY – Used to sign an authorizing cookie for SSL admin. These cookies are used to make changes to the site.
• LOGGED_IN_KEY – Used to generate a cookie for a logged-in user. These cookies can’t be used to make changes on the site.
• NONCE_KEY – Used to sign the nonce key which protects the nonces from being generated, protecting you from certain forms of attacks.

How Do WordPress Security Keys and Salts Work?

Unlike most other websites platforms, when a new user logs in to any WordPress site the information about their session is stored in cookies. Cookies are small files that get stored on your device when you go to a website. It contains bits of information like whether you have logged in to the site and even your password so that when you revisit the website these cookies can track your identity. Usually, the two cookies that created when you log in to any WordPress site are:

wordpress_[hash]
wordpress_logged_in_[hash] 

That’s not the end, to make it harder for attackers to use cookie data, WordPress take advantage of those keys. Security keys and salts work together to cryptographically turn that plaintext password into a random jumble of characters that are impossible for someone to reverse engineer without access to your keys and salts. 

Suppose, you have entered “mypassword” to log in, WordPress will turn your password into something like “hsd78q34%7832$4jkhkjsfd78782^^429nsdf” for storage.

So, unless a person has access to your salts and security keys, it would be next impossible for them to translate that random jumble of characters into the original password.

When to Change WordPress Security Keys and Salts?

As we know, WordPress security keys and salts keep your site protected. Considering changing them regularly adds another layer of security for your WordPress website. When you suspect that your website is hacked, it’s mandatory to change them including your passwords. It is also a good idea to update the salts and security keys if your site is infected with malware. With malware, hackers have unauthorized access to the files of the website, including the wp-config.php file. So, the first step is to scan your site to clear out the malware, then change the keys and salts.

Changing your WordPress keys and salts once or twice every year should be more than enough to keep your site safe. However, if you want to be extra careful, you might want to change them every couple of months. Though it can be a minor hassle, it helps protect you in case an account has been compromised. Once you change the salt keys it invalidates all existing cookies. That means all the logged-in users will be logged out of the website, including you.

How to Change WordPress Security Keys and Salts?

There are a few ways one can change their site’s security keys and salts. You can either use a plugin or do so by editing wp-config.php. As using a plugin is much easier and more secure, we recommend using the plugin. But we will also mention how you can change the WordPress security keys manually. Let’s check both ways.

Change WordPress Security Keys and Salts with Plugins:

If you want to change your WordPress security keys and salts easily and without hassle, using a plugin is the best option. You can either use your security plugin for changing them, or you can use a dedicated plugin. In both cases, the plugin is programmed to schedule automatic changes to your security keys and salts on a regular basis.

Use a security plugin:

If you are already using a security plugin, it can be the best choice to change your WordPress security keys and salts. Installing too many plugins can harm your site’s health, so using your security plugin is preferable to using a dedicated plugin.

Sucuri is one of the best WordPress security plugins on the market. It’s free to use and offers all the security features you might need.

For getting started, first install and activate the Sucuri plugin.

After activation, you will see a new menu named “Sucuri Security” added to your dashboard area.

Now, go to “Security > Settings” and open the “Post-Hack” tab

From here, simply check the “I understand that this operation cannot be reverted.” box and click on the “Generate New Security Keys” button under the “Update Secret Keys” section.

Sucuri also provides the feature of setting an automatic updater for security keys. For scheduling, use the “Frequency” dropdown menu to select the most appropriate timeframe for your website. Then, hit the “Submit” button.

Use a dedicated plugin:

The Salt Shaker plugin is the only dedicated plugin for changing WordPress security keys and salts. It enables you to update your WordPress security keys and salts at the click of a button.

To start with the plugin, you’ll need to install and activate it first. Once that’s done, a new Salt Shaker option will show up in your dashboard under the Tools menu.

Now, navigate to Tools > Salt Shaker to find all of its settings and check the box to automate SALT key generation and changes.

If you want to automatically change your Salt keys on a periodic basis, choose a frequency Daily, Weekly, Monthly, Quarterly and Biannually from the dropdown menu. Once you set your schedule, the plugin will automatically update your salt keys at the set interval.

The frequency you choose will depend on your website’s needs. The more sensitive data you handle, the more often you’ll want your salt keys to change. However, daily changes are generally considered overkill for most websites.

If you don’t want to schedule keys and salts changing, then just click on the “Change Now” button without selecting any frequency

Once you click “Change Now”, this will immediately change your salt keys, after which WordPress will prompt you to log back in.

Change WordPress Security Keys and Salts manually:

Manually configuring WordPress security keys isn’t difficult. You just need to do the following:

First, to change your older salts and keys, you need to generate new WordPress security keys and salts. For that, use the WordPress SALT keys API and simply copy the new values ​​that you get.

Before going to change the wp-config.php file, take a backup of the file. This is a necessary precaution because you are going to edit a core WordPress file manually, and therefore there is a chance that the site can break.

To replace your old keys and salts, use an FTP client or the File Manager app in your WordPress hosting account control panel to connect your website, and open the wp-config.php file.

Now, scroll down to the section Authentication Unique Keys and Salts and replace the code with the newly generated keys, and save your changes.

To confirm, your FTP client will generally ask if you want to replace your existing file with the new version. Choose “Yes”, and you’re all done.

That’s all! You have changed your WordPress security keys and salts.

Conclusion:

While changing WordPress security keys and salts gives you unbreakable security, changing them every so often adds another layer of complexity. The best practice is to consider changing the salts and security keys every six months (biannually) or so. However, it becomes necessary to change them, if your site is hacked or your site had malware.

Hopefully, this article helped you learn what are WordPress security keys and salts and how to change them. For more articles on WordPress site security, check our Blog page.

If you have any questions regarding security keys and salts or any tips you would like to share, let us know in the comments!