Everything about WordPress Security Keys

Aug 1, 2022

Everything about WordPress Security Keys

Aug 1, 2022

Passwords are literally the keys to your site. Protecting your login page from hackers and their bots is a top priority and an ongoing battle that you need to stay on top of. 

WordPress salts and security keys are special strings of text used to encrypt WordPress user passwords. As a WordPress admin, you don’t need to worry about them too often, but it is good practice to change WordPress security keys on a regular basis. 

Changing your WordPress salt keys is a straightforward process. Remember to take a backup of your site before making any changes, so any errors can be easily reverted.

TL;DR Refresh your WordPress salts and security keys easily using MalCare. MalCare has a host of login security features, including an advanced firewall with bot protection. It also limits incorrect login attempts and blocks bad IPs even before they can attack your site. Bundled with BlogVault’s bulletproof backups, it is the hands-off protection you need for your site so you can focus on the important stuff. 

What are WordPress salts and security keys?

WordPress salts and security keys are random strings of data used to safeguard passwords in storage by hashing them and securing the website’s login page. WordPress security keys are stored in the wp-config.php file, where there are a total of 8 of these strings,

Although salts and security keys are mostly used to refer to the same set of 8 strings, they are used differently. There are actually 4 security keys—AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY—and each of these corresponds to a salt. 

How do WordPress salt keys work?

WordPress salts are added to your password and then encrypted using a process called hashing. The result is that even if a hacker were to reverse-engineer the password hash—in itself a very long shot—they would not be able to distinguish your actual password from the added salts. 

Security keys are used slightly differently, although for a similar reason. WordPress uses cookies to manage login sessions, so that a user doesn’t have to keep logging into their account every time they want to do something on wp-admin. The credentials used to authenticate each user—their username and password—are stored by WordPress in cookies. However, since cookies are not secure, the credentials are mixed up with security keys and hashed.  

This is why it is critical to keep these strings secret. They are critical for login security, so if you feel that anyone has seen them in the wp-config file, you should change them right away. This is also why there is absolutely no good reason to store them anywhere else.

What is the purpose of generating new secret keys in WordPress?

WordPress salts are rarely seen and never used directly by users. Plus, they are made of random characters, so why do they need changing at all? 

If there is the slightest chance that a malicious actor sees or gains access to your wp-config file—say, from a local backup—you need to change the salts immediately. With the salts in their possession, a hacker is exponentially more likely to be able to gain access to your site. 

It is also a good idea to update the salts and security keys if your site had malware at any point. A malware-infected site should be considered 100% compromised, and it is best to update all passwords for security. We recommend using MalCare for 1-click malware removal, and then straight on to changing the security keys from the same dashboard. 

How to change WordPress salts and security keys

As with all things WordPress, there are several ways to change the salts and security keys on your site. Using a security plugin is the easiest and most efficient option. 

Note: When salts and security keys are updated, all logged-in users will be logged out of their accounts. However, their usernames and passwords remain the same. 

Use MalCare [Recommended]

Update WordPress salts in a few steps with MalCare

1. Install and activate MalCare on your site. It will take a few minutes for the site sync to finish, but you can leave it and come back later. 

2. Go into Site Details, and look for the Security and Firewall section. Click on Review Security to proceed. 

MalCare security and firewall section

3. On the Security page, scroll down to Comprehensive Security, and click on Apply Hardening. 

Applying hardening using MalCare

4. Here, you need to scroll down to the Paranoid section. There, you will see an option to Change Security Keys. Select the checkbox, and click on Apply. 

Select Change Security keys option

5. Next, you will be prompted to enter your FTP details. Click on Continue.

Filling FTP details

6. Choose the root directory of your site where WordPress is installed. Generally, it is the public_html or public folder. 

7. Click on Apply Fix. And that’s it.

Why MalCare is the best option

Apart from easily changing the WordPress security keys, you get a whole host of other WordPress security features in one package. In terms of just login security, MalCare keeps out brute force attack bots, limits login attempts out of the box and protects your site from bad IPs with an advanced firewall. 

In addition, MalCare has a top-of-the-range malware scanner that is able to detect the most obscure and well-hidden malware on your site. If you were to find malware, removal is easy with a click of a button. 

Use the Salt Shaker plugin

The second way to update WordPress authentication unique keys and salts is to install a plugin for the express purpose. Unsurprisingly for the WordPress ecosystem, there is a plugin that does this one thing only: Salt Shaker

The process of using Salt Shaker is very simple. 

1. Install and activate the plugin from the Plugins menu on wp-admin. 

Salt Shaker plugin

2. Salt Shaker will appear under the Tools menu on the left navigation bar. 

3. Click on Change now to update the salts. You can also set up a schedule to update the salts on a regular basis. 

Salt shaker settings

Edit the wp-config file manually

We typically advise against making changes to WordPress core files manually because the smallest mistake can cause a site crash. Editing the wp-config.php file is a particularly delicate operation because it also contains your database connection details. This is what your site uses to retrieve content from the database to show on your site. 

That said, it is not a tall order. Cover your bases, and take a full site backup with BlogVault before making any changes. 

1. The first thing you need to do is generate WordPress salts from the WordPress secret key generator. The plugins we covered earlier do this automatically for you and that’s why this isn’t a step in any of the other methods. Every time you visit the link or reload, you will get a new set of salts. 

WordPress salts and security keys

Note: Please do not store them anywhere else. You do not need them for anything. Also, avoid trying to create them on your own. 

2. Take a backup of your site. Yes, we’re mentioning it again because it really is that important. 

Backing up site using BlogVault

3. Connect to your site server using FTP, cPanel’s File Manager, or SSH. Download the wp-config.php file

wp-config.php file

4. Open the file in a text or code editor and scroll down to the section Authentication Unique Keys and Salts

Authentication Unique Keys and Salts. 

5. Replace the code with the new values you got from the WordPress salt key generator, and save your changes. 

6. Finally, reupload the file to your site server.

When should you change WordPress security keys?

The most important time to change WordPress salts and security keys is after malware removal. Once the malware is cleaned, one of the steps to protect your site from reinfection is to change all user passwords and force a logout. Changing the salts and security keys is part of that process. 

Other than a hack, make a point to change the security keys and salts every 6 months or so, if you are a high-traffic site. This is a precaution and should be considered a part of login security. 

Conclusion 

Login and password security is critical for your WordPress site. Brute force bots, with cracked password lists and dictionary attacks, are getting more sophisticated by the day. Security keys and salts are a strong measure to combat these threats. 

In addition to changing WordPress salts regularly, consider investing in a security plugin. MalCare is a best-in-class security plugin, with an integrated firewall custom-built for WordPress, a top-notch malware scanner, and the easiest malware removal tool ever. With these 3 levels of security, your WordPress site has the best chance of keeping hackers at bay.

FAQs

What are WordPress salts and security keys?

WordPress manages login sessions by storing the information in cookies instead of using PHP sessions. These cookies are secured by computing a hash of the username, password, and a long, random string. These long, random strings used to calculate the cookie hash are called WordPress security keys. They are configured in the wp-config.php files. When a fresh WordPress site is a setup the security keys look like this:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);

Why should you set WordPress salts on your site?

WordPress salt keys play a big role in securing the cookies of a site. Without them, it will be relatively easy for anyone to enter a WordPress site. Hence, while setting up a new site, it is recommended that the above default WP salt keys are replaced with a randomly generated one. The keys should be very long and very difficult to guess to be most effective.

How to generate random values for WordPress security keys?

The keys can be randomly generated by visiting the following link: https://api.wordpress.org/secret-key/1.1/salt/

You can copy the WordPress secret keys from there and replace them in your wp-config.php file. 

What if I don’t set random WordPress security keys?

Given the importance of security keys, failing to replace these keys with random values can end up being a major security issue. In such situations, WordPress will generate its own keys, and store them in the options table in the database. If the keys are placed in the wp-config.php file at a later point, WordPress will override the values present in the database.

If WordPress auto-generates salts, then why do it manually?

Inserting your own secret key is better for security. The cookies are created by combining the password hash and the secret keys. The password hash is stored in the database. Consider a situation where a hacker is able to access the contents of your database but not the files. In such a situation both the password hash and the secret key will be visible to the hacker. This will make it very easy for the hacker to get complete access to your site.

However, by storing the secret keys in the wp-config file, they will need access to both the database and the files to be able to gain admin access for your site. Hence, it is a good practice to keep the keys in the config file.

Do I have to remember WordPress salt keys?

No, once you place them in the wp-config.php file, you do not need to remember them any more. You can change these values at any time, without having a major impact on your site.

What happens if you change WordPress salt keys? Is it safe? Will it reset your passwords?

It is perfectly safe to change WordPress salts. They can be changed by replacing the existing values in the wp-config file with a newly generated set of keys. When the keys are changed all cookies will be invalidated. All existing login sessions will end, and the users will need to login again.

Changing the security keys will not affect the user passwords in any way.

Why should you change WordPress salts when your site gets hacked?

When a site gets hacked, all data within the site should be considered to be compromised. One of the first recommendations is to change all passwords. However, as mentioned above, the security keys are even more important. If the hackers have the security keys, they can regain access to the site even if the passwords have been changed.

Hence, it is important to change the security keys along with the passwords when a site gets hacked.