Complete Guide to WordPress Salts and Security Keys


Complete Guide to WordPress Salts and Security Keys – You’ve probably noticed that WordPress remembers your password so you don’t have to type it in . time you log in?

  1. It makes logging into your website a simple and quick process.
  2. However, you might be concerned about the possibility of the password being stolen.
  3. The response is, unfortunately, yes. Passwords that are saved can be compromised.

When hackers obtain your password, they can use it to gain access to your website and cause havoc. They can perform a variety of malicious activities on your website, including redirecting visitors and stealing information, sending spam email, storing files and directories on your website, and even launching attacks on other WordPress pages.

But don’t worry, WordPress protects your saved password with something called WordPress salts & security keys to make sure this doesn’t happen. They encrypt your password so that hackers cannot read it if it is stolen.

We’ll go over how salts and keys function, as well as how to adjust them, in this guide.

What Are WordPress Security Keys & Salts?

Salts and security keys for WordPress are a series of characters that look like this:

‘,KE39}#KS5B{–!U2v]< |]aRnAO7Jb1[8ktJvFWe L1!}]

_7GA{t !u[]$|Hm&*’);

When you install WordPress, security keys and salts are created for you automatically.

But why does a WordPress site need security keys and salts?

We stated at the outset that you don’t have to enter your username and password every time you try to log in. This is due to the fact that WordPress saves your login credentials.

While it appears to be a fantastic operation, there are some security issues. Credentials that are stored on a computer may be stolen.

WordPress, on the other hand, has a solution. It stores the password after encrypting it with encryption keys and salts. Hackers won’t be able to decipher your password even though it is stolen.

There is, nevertheless, a catch.

Hackers will steal your salts and keys and decode your password using session hijacking and cookie stealing attacks.

As a result, it’s important to refresh your WordPress salt keys on a regular basis.

When to Change Your WordPress Salts & Security Keys?

Changing salts and keys is a popular post-hack security measure. If your website has recently been compromised, you must change your security keys and salts immediately.

What is the reason for this?

When your WordPress account is compromised, one of the first things you do is change all of your passwords right away to ensure hackers don’t gain access to your site.

However, hackers could have made a copy of your keys and salts without your knowledge. If the keys and salts stay the same, they will decode your password even if you change it.

As a result, if your website has been hacked, changing WordPress salts and keys is one of the first steps you can take to prevent it from being hacked again.

Guide to WordPress Salts and Security Keys

How to Safely Change Your WordPress Salt and Security Keys?

You can change your salts and keys in two ways.

  • You may make use of a plugin (recommended)
  • It’s possible to do it manually.

1. Changing WordPress Salts & Keys Using a Plugin

We’ll show you how to change salts and keys with MalCare and Salt Shaker, two separate plugins.

Using MalCare

i. Sign up with MalCare.

ii. Go to the Security section of your MalCare account. Select Apply Hardening from the Details menu.

iii. After that, pick Change Security Keys and press Continue.

iv. After that, you must enter your FTP credentials. If you don’t have it, consider searching for it using these videos or requesting it from your hosting company.

Security keys and salts will be updated after you enter your FTP credentials.

It’s worth noting that if you change your salt and keys, all browser cookies that save your password will be invalidated. This means that in order to access the dashboard, users must first log in.

Using Salt Shaker

  1. i. Install Salt Shaker on your WordPress site and trigger it.
  2. ii. Go to Tools > Salt Shaker on your website’s dashboard.
  3. iii. There are two choices on the Salt Shaker Setting page: Scheduled Change and Immediate Change.

You may use the ‘Scheduled Change’ option to change the keys and salts on a regular, weekly, monthly, quarterly, and bi-annual basis using the ‘Scheduled Change’ option. This is the choice that many website owners choose, and they plan the changes as part of their security policy.

If you want to update the WordPress salts and keys right away, go to the Immediate Change section and click the Change Now button.

2. Changing WordPress Salts & Keys Manually

CAUTION: Using the manual approach is extremely dangerous because it requires editing a WordPress file called the wp-config file. It’s a critical file that ensures the proper operation of your website. Small errors in file handling will result in a broken website.

To update your keys and salts, we strongly advise you to use a WordPress plugin. It’s much simpler and safer.

If you insist on using the manual process, make sure you make a full backup of your website first. If something goes wrong with your website during this phase, you can use the backup to easily restore it to its previous state.

You should use the manual method after you’ve made a backup.

  • Go to to create new salts and keys.
  • The wp-config file must then be edited. Go to cPanel in your hosting account. After that, go to File Manager.
  • Look for a folder called ‘public html’ in the new window. Inside this folder, you’ll find the wp-config file.
  • To open your wp-config file, right-click on the folder and select Edit. There are several lines of code in the file. You must locate the lines shown in the diagram below –

These are your salts and identification keys.

And you must only replace these lines of code with the new salts and keys produced in step 1.

  1. Phase 1: Copy the keys you created. Return to the wp-config file, highlight these lines, and replace them with the new ones.
  2. Please be cautious and make sure you don’t make any other changes to the wp-config file.
  3. Until leaving, remember to save the file.
  4. You’ve now successfully modified your WordPress salts and encryption keys.
  5. Even if your login credentials are stolen, hackers will struggle to read them due to security salts and keys.

Last Thoughts

Regularly changing your WordPress keys and salts is a precautionary measure to prevent hackers from gaining access to your web. However, this is just one small step toward fully securing your WordPress website.

Hackers have a variety of tools for hacking the website, in addition to stealing passwords.

You’ll need a stable WordPress security plugin like MalCare to defend your website from all types of threats.

The plugin instals a powerful WordPress firewall that detects and prevents hackers from gaining access to your web. It even checks the site every day to make sure there isn’t any suspicious activity. With MalCare keeping an eye on your account, you can rest easy knowing it’s safe from hackers.