WordPress salts: Everything you need to know

WordPress salts: Everything you need to know

WordPress salts are not something you have to think about, it’s just a part of WordPress. It’s part of what makes WordPress super secure with your password management.

A WordPress salt is there to encrypt your passwords. It’s basically a string of text, numbers and symbols mixed with your password and then encrypted into an unrecognisable string saved in your database, making it impossible to guess your password.

This is very simply explained. There is much more to it, like where they’re located, how you change it, and the pure functionality of using WordPress salt.

What Are WordPress Salt Keys?

As mentioned, WordPress salts are used to encrypt strings of text, whether it’s your passwords or something else.

The pure result of using WordPress salts is increased security, and WordPress salts are entirely random from WordPress sites to other WordPress sites.

Not only are WordPress salts used to encrypt your password, but it’s also used when you press remember me while signing into WordPress.

wordpress remember me

When you checkmark this option, your login information is saved in a cookie in your browser to sign you in automatically the next time your visit your WordPress website.

But this exposes you to a security breach if someone gets access to your cookies manually or through a virus.

Therefore your login information is encrypted using salts and an encryption method to secure you against hackers.

The way it works is, let’s say, your password is hi123. Instead of storing your password as hi123, which makes it possible for anyone to guess it.

Then your password is saved as something like fdsf6sd78f686(/&0(=)(=nnjkh in your database.

And as you can see, this is impossible to guess as it’s also encrypted with a salt.

[cboxarea id=”cbox-DZ7YzH84qT48YAf1″]

When you sign in, the string you write in the password field is then encrypted with the same salt and compared to your encrypted password saved in the database. If it’s a match, then you get signed in.

Where Are WordPress Salt Keys Located?

Your WordPress salts are located in your wp-config.php file on your server where your WordPress installation is.

It’s located in the root folder, and it’s packed with configurations for your WordPress website, such as your database login, caching, memory limit and, of course, your salts, which looks like this:

define( 'AUTH_KEY',          'n|o3o&/(YhLB*`b#Uys0|!q>gO&J>Ao6MBH-8B,hp[L&4tmc[uQ%_$KcRe}rCtr0{' );
define( 'SECURE_AUTH_KEY',   '&m}[%7dsd&/`$ZjsT}TGNlDnm6x@[YqMndq~%+O{,n1+V@sLhJK|irq`gG8pT1bG' );
define( 'LOGGED_IN_KEY',     'E_fMX`Qxb7b6(VJK()3Yw6F%qb#5YuvFUS?9H_B]n}JNpfoY3_$>Ebp(%/<,s[gU*r' );
define( 'NONCE_KEY',         'uxd*A* }$UBR;,se5J&uvjZlZ0V.pde<UR.Ei4sHGFh(/=h#6OHQL<&^e1)/GbWm8/' );
define( 'AUTH_SALT',         'TG:%&Ty^~1tmo/t}Ov56[&FK3#|N;)€€BghjG0Jg,l9Yq*d~k:Dko+eELTtl,1VYH' );
define( 'SECURE_AUTH_SALT',  ':-`^:jSMc/(/khkjyKJHIf{CC8WQ?_]{8U0XQS7VcqtxG=}@U}:j/cX`*eK6&#FS)tj`;' );
define( 'LOGGED_IN_SALT',    'i2fF&/%&%/(*Y}(_!j[rR;ludghi]#CKqh_=U3qqG:UC,wtgdLoT)y>%%yJ7V(' );
define( 'NONCE_SALT',        'h?JZ;7Nt@`N()=()(HJKg}F5$o/?4SR{rIg:RdDQ!B)tTl1LIN/XHJ`#Wl+57P&70' );

So as you can see, there are a lot of different salts, and depending on what plugins you’re using, you might have even more.

They all serve the same purpose, to help secure your WordPress website.

Why Change WordPress Salts?

There are 3 reasons you would want to change your WordPress salts.

  1. You want to make it more difficult for potential hackers to enter your system and add malicious code.
  2. You want to sign all users out. Because when you change the salts, then everyone is forced to sign in again, as their old password is now invalid because it was encrypted with another salt.
  3. You’ve been hacked. If this is the case, the hackers might’ve seen the salts, and changing them is a very good idea. You can do this manually or by using a WordPress plugin.

How To Change Salts in WordPress Manually

You need a file manager or FTP client to perform this step. Connect to your WordPress host and then open the wp-config.php file in any editor you have on your computer.

Then open up a browser and go to WordPress salt generator. Every time you refresh this page, you get a new set of salts. It’s completely random.

wordpress salts

But copy everything on the page and then go back to your editor where you have opened up wp-config.php.

Then you simply delete the current salts and paste in the new salts you just generated. Then you press save and upload your file.

Depending on server cache and other factors, it might take a little while, but at some point, you’ll be asked to sign in again, and then you will know the salts have successfully been changed.

How To Change Salts in WordPress Using A WordPress Plugin

A more straightforward way is to use a WordPress plugin to change your WordPress salts.

I can recommend Salt Shaker, which is a super simple WordPress plugin. You can choose to change your salts daily, weekly or monthly entirely automatically, or you can choose just to change them here and now.

salt shaker plugin

They do also have a pro version where you can schedule your changes more specifically, get a reminder or get notified once the changes are done. However, the free version is suitable for the majority.


Does WordPress use salt?

Yes, WordPress uses salts to encrypt your login page’s password. This is to ensure the highest possible security for your WordPress login. This, combined with your password, saves a meaningless string in the database making your password unrecognisable.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *