WordPress is one of the most compelling and popular content management systems in the world. Therefore, WordPress is a common target for security vulnerabilities, such as brute force attacks, SQL injection, malware, cross-site scripting, and DDoS attacks.In fact, recently, a kind of Edit We are launching a brute force attack on the WordPress website, stealing cryptocurrency through clipboard hijacking.

The security of WordPress depends on your efforts to improve the security of your site. As a website owner, it is your responsibility to stay vigilant and implement proactive security strategies to prevent malicious attacks. The use of weak passwords and usernames, failure to update WordPress core and plugins, and poor quality hosting are common security errors for website owners, making it easy for malicious hackers to access.

WordPress is a highly secure CMS in its own way. However, to protect your WordPress site from cybercriminals, you need to improve security and increase online credibility.Simple steps, such as updating the WordPress core, choosing a secure WordPress hosting service provider, pay attention domain name Security, using a secure password can help deter malicious robots and attackers.

In this article, we will focus on WordPress salts and security keys and their role in ensuring that you do not have to deal with the consequences of malware attacks.

What are WordPress security keys and salts?

When a user logs into a WordPress site, many cookies are created on the computer. These are used to verify the identity of the logged-in user. If hackers enter your database or find your cookie, they may read your password, making your website vulnerable.

WordPress uses security keys and salts to provide you with mysterious output stored in a database or cookie, adding a layer of security to your website.

Two of the cookies are:

  • WordPress_[hash] Only used on the admin page or WordPress dashboard.
  • WordPress_logged_in_[hash] Used throughout WordPress to determine whether you are logged in to WordPress.

The authentication details that WordPress stores in these cookies are hashed using a random pattern specified in the WordPress security key (the assigned encrypted value).

WordPress security key

WordPress security key It is a password that contains a random, long, and complex set of variables that can improve encryption, making it almost impossible to crack your password. The latest version of WordPress uses four security keys, each with a corresponding salt, which can improve the security of your WordPress site.

these are:

  1. Authorization key Can be used to make changes to the site. It can help you sign non-SSL authorized cookies.
  2. SECURE_AUTH_KEY Used to sign the authorization cookie for the SSL administrator and to make changes to the website.
  3. LOGGED_IN_KEY Used to create cookies for logged in users. It cannot be used to make changes to the site.
  4. NONCE_KEY For signing Random number keyThis key prevents random numbers from being generated, thereby protecting your site from attacks.

You will be at wp-config.php file, Located in the WordPress root folder.

WordPress salt Is a random string of data used to hash security keys and add an extra layer of protection to the site and your credentials.

WordPress salt

As you can see in this picture, each security key has a corresponding salt, namely AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT and NONCE_SALT.

Why use WordPress security key and salt?

WordPress uses cookies to track the identity of users who log in to your website. These cookies are stored in the dashboard account of your site, which is the client. For better encryption, the authentication details (username and password) are hashed using a set of random values ​​specified in the WordPress security key.

Therefore, compared with unencrypted passwords, randomly generated encrypted passwords like “65a3ds2873ba27us36sd89s0fc” are extremely difficult to crack. Therefore, website owners should use the WordPress security key to protect their website’s cookies and prevent malicious hackers from accessing the website.

How to manually change WordPress keys and salts

You can configure the key and salt manually or using the WordPress security plugin. If you have a self-hosted WordPress site, you must add the security key yourself.

Please note: If you are a developer or familiar with intermediate or higher-level code, we only recommend that you edit WordPress files manually. If you are a beginner, please skip to the recommended plugins below.

First, use the random generator on WordPress to get the unique key.

Generate key

Next, log in to your control panel file manager or via FTP. Find the wp-config.php file from here and modify it.

Find the WP-Config file

Open the file and scroll down to the “Authentication unique key and salt” section. You can add the key you generated earlier here.

Authentication unique key and salt

After saving the file, you will need to log in again.

Update key and salt using plugin

Like most things in WordPress, you don’t have to do this manually. Several WordPress plugins can be used to automate this process on your behalf. They are a quick and easy way to change WordPress keys and salts. Here are two we recommend.

iThemes security

BuddyPress freemium WordPress plugin for iThemes security

Information and downloads

The current version of iThemes Security (free v4.6+ or iThemes Security Pro v1.14+) has time-saving security features that can easily update WordPress security keys and salts. It provides monthly update reminders to avoid the need to manually generate a new set of keys or edit the wp-config.php file.

To update the key and salt, go to the “WordPress Salt” section in the “Advanced Tab”, click the “Change WordPress Salt” checkbox, and finally click the “Change WordPress Salt” button.

iThemes WordPress salt

iThemes Security Pro provides additional features such as two-factor authentication, scheduled malware scanning and reCAPTCHA to detect malware and add an extra layer of security to your WordPress login page.

Salt shaker

Salt shaker plug-in

Similarly, Salt Shaker provides impressive features and settings, such as manual and instant WP security key and salt changes to improve your WordPress security.

Salt Shaker WordPress key and salt

In addition, after installing the Salt Shaker plug-in, you can set up a scheduled job for automatic salt change. All you need to do is check the box and choose daily, weekly or monthly settings.

In both cases, the plugin is programmed to send an automatic reminder to update the WordPress key. Therefore, it also forces all logged-in users to go through the login process again. All these features help protect the website from brute force attacks and other hacker attacks.


When protecting your WordPress site, prevention is the way to go. The strong combination of WordPress security key and salt makes it difficult for hackers to crack website passwords. This is how WordPress provides greater security and data protection for user sessions.

All in all, when updating WordPress security keys and salts, you need to keep the following points in mind.

  • After launching the WordPress website, change the security key and salt.
  • Always use the WordPress salt key generator to create security keys. Don’t do it yourself. Alternatively, you can use a WordPress plugin or automate the process.
  • Updating the WordPress security key and salt will invalidate all existing cookies, causing all users to log out immediately. Therefore, when changing them, please be aware that some users may be online.
  • If you find any signs that your website is under attack, update your WordPress security key and encourage your users to change their passwords.

Do you have any questions about salt and security keys? Or will you add a hint? Let us know in the comments!