Everything You Need to Know About WordPress Salts & Security Keys


WordPress is an open source content management system that is now one of the largest platforms for blogs, and websites of all niche. And if you are one of the millions of users all over the world then you probably might have wondered about the why and how of WordPress security.

Protecting your website against any malware or brute force attacks is always the top priority. And to aid those security requirements, WordPress offers tons of security options. We have dwelled on the topic previously with our articles on  WordPress Security Plugins and also discussed some of the Simple WordPress Security Tips to keep your site secure! But today we wanted to give our users a bit more insight into WordPress Salts and Security Keys. We will be discussing in detail what exactly are they and how do they work in keeping your account and website more secure.

What Are WordPress Salts and Security Keys?

In simple terms, WordPress Security Key is a password containing random elements which are long, complicated, and almost impossible to break. They provide a more secure encryption of the information stored in the browser’s cookies and make it harder to break the site’s security barriers.

WordPress salts are furthermore additional random strings of data that hashes the security keys. They add the extra layer of protection to the cookies and your authenticating credentials.


With the current version of WordPress, there are 4 security keys used to sign the cookies for your site. Four WordPress salts are recommended for the 4 security keys correspondingly however it’s not required as WordPress generates them by default.

  • LOGGED_IN_KEY – Used to generate a cookie for a logged in user. These cookies can’t be used to make changes on the site.
  • SECURE_AUTH_KEY – Used to sign an authorizing cookie for SSL admin. These cookies are used to make changes to the site.
  • AUTH_KEY – Used to sign the authorizing cookie for the non-SSL. These cookies can be used to make changes on the site.
  • NONCE_KEY – Used to sign the nonce key which protects the nonces from being generated, protecting you from certain forms of attacks.

Think of it this way; a simple password that you decide on can usually be easily broken. However, a more random and unpredictable set of variables are difficult to encrypt. It might even be years before someone trying to guess the password come up with the right combination. Thus, WordPress security Keys and Salts ensure the safety and protection of your website and login credentials.

How Does WordPress Salts and Security Keys Work?

Unlike most of other websites platforms, WordPress does not use the PHP sessions to keep track of their users. To verify an identity of logged in users as well as commenters, WordPress usually uses the cookies or information that are stored in your browser’s history. When you log in to your Dashboard multiple cookies are created and saved. Usually, the two cookies that are created are:

  • wordpress_[hash]
  • wordpress_logged_in_[hash]

The first one is used only when you are logged onto your Dashboard while the second cookie is used throughout WordPress to ensure whether or not you are logged in. The details you use to log in are hashed (assigned cryptic values) using the random variables which are then specified in the WordPress security keys. This, in turn, strengthens and makes it almost impossible for anyone to guess your password should your cookies be stolen.

Please refer to this article for more information. 

How to Use WordPress Security Keys and Salts?

Usually, when your WordPress websites are self-hosted, the security keys are not pre-defined. Instead, you might need to generate and add them yourself. But don’t worry, the process is quite simple and straightforward. Generally, there are two ways you can configure the secret key. We will be discussing both methods for your convenience so you can choose whichever method you prefer.

  • Manually change the WordPress Security Keys and Salts.
  • Using a WordPress Plugin.

Method 1: Manually Changing the Secret Keys & Salts!

Follow the steps below as a guideline and secure your WordPress profile and website!

The first step is to generate your own Secret Key. WordPress has its own random key generator and we recommend using those rather than coming up with your own. It is easy and takes just seconds.


define(‘AUTH_KEY’,  ‘random generated keys’);

define(‘SECURE_AUTH_KEY’,  ‘random generated keys’);

define(‘LOGGED_IN_KEY’,   ‘random generated keys’);

define(‘NONCE_KEY’,  ‘random generated keys’);


Now that you have the Secret WordPress security key ready, go ahead and open the WordPress wp-config.php file. You will find the file in your WordPress root folder.

Search for the Authentication Unique WordPress Security Keys and Salts that usually is located after the database credentials.

Copy the entire block of code that you generated previously using the random key generator. Once you have done that simply replace the eight default variables in your wp-config.php file. Save the changes that you have made and you are done!

Method 2: Using a Plugin

For explaining this method more thoroughly we will be using the help of the plugin- Salt Shaker. A Free WordPress security plugin, Salt Shaker is also extremely user-friendly! So to start off the process Install and Activate the plugin.

If you come across any problem with the procedure, here is a handy guide by Beautiful Themes dealing with the topic of How To Install and Activate a WordPress Plugin?


Once the plugin is activated and ready to use, you will find a newly added menu on the Tools section as Salt Shaker.


After you click on the menu, you will be redirected to a new page that features the option to set a schedule for changing the SALT keys. Go ahead and tick off the option to Change WP Keys and Salts.

You will also see the option to either choose a Daily, Weekly or Monthly basis to schedule the change of keys and salts. Select the option you prefer and your settings are Saved.

In case you want to change the WordPress security keys and salts immediately, you can also see an option for Change Now on the bottom of the page. Note that once you change the keys you will be automatically logged out of your WordPress.

Wrapping it Up!

And this sums up our article today about WordPress Security Keys and Salts. We have broken it down for our users so that you have an easier understanding of the matter. Get more secure and safe WordPress environment changing the random security variables every now and then.

We have also enlisted the methods that you can use to change the keys and by now we hope you have understood everything you needed to know about WordPress security keys and salts. Want to learn more about security? Why not check out more of our articles dealing with the topic!

Introducing modern block theme for magazine, news & blogging sites.


An avid reader and aspiring writer, I love to research, write and blog about things that peak my interest and curiosity.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 thoughts on “Everything You Need to Know About WordPress Salts & Security Keys

    1. Hello Felipe,

      Since the first step is to generate the secret keys, salts are not needed for the particular step.

Scroll to top

Pin It on Pinterest