WordPress salts are a crucial part of the WordPress security ecosystem. While they do not enjoy the same notoriety as other components, such as firewalls, without them, WordPress would be left open to all sorts of attacks. This is why it’s so important to understand what they are, how to manage them, and how to use a WordPress salt generator should you need new salts.
In this article, we will explore everything there is to know about WordPress salts and generators, helping you ensure you can make the most out of this feature that is so important to WordPress security.
Table of contents
- What are WordPress salts?
- How WordPress salts work
- WordPress salts and keys
- Where to find your WordPress salts
- When to update your WordPress salts and keys
- How to use a WordPress salt generator
What are WordPress salts?
WordPress salts, and the associated security keys, are cryptographic tools used to hash data. They are also known as WordPress security keys. One notable example of how they are used on a website is the hashing of passwords stored in cookies. Salts make it much harder for hackers to steal user passwords. This makes salts an integral part of WordPress security. While this system is not perfect, it provides adequate protection in most cases.
We’ll break all of this (and more) down in the following sections, so continue reading to learn more about WordPress salts.
How WordPress salts work
WordPress is what is known as a stateless system. This means that it is not able to maintain user sessions like some other applications do. Instead, it relies on WordPress browser cookies to keep users ‘logged in.’ As such, once you’ve logged in with your username and password (and 2FA if you’re serious about WordPress security), WordPress defines a cookie that is sent to your browser. As long as you have that cookie and its conditions are met, you remain ‘logged in.’
For WordPress to recognize you, this cookie has to be sent to WordPress every time you interact with the website, essentially authenticating yourself every time you interact with the website. To make sure the data remains as safe as possible, WordPress encrypts the password stored in the cookie. This is where salts come in.
While going into the ins and outs of WordPress cookies is beyond the remit of this article, it is worth taking a quick detour to discuss how salts relate to cookies.
As a reminder, cookies are text files stored in WordPress users’ browsers that tell WordPress important information, such as whether the user is logged in and who they are.
- wordpress_logged_in_[hash] – This cookie is used to tell WordPress whether you are logged in or not. This cookie is hashed with the LOGGED_IN_KEY key and LOGGED_IN_SALT salt. We will discuss these in more detail in the next section.
- wordpress_[hash] – This cookie is used in the admin pages and allows you to make changes to the WordPress website. This cookie is hashed with the SECURE_AUTH_KEY key and SERCURE_AUTH_SALT salt if you’re using SSL/TLS or the AUTH_KEY key and AUTH_SALT salt if you’re not using SSL/TLS.
Salted cookies are the best cookies
In a nutshell, salts are used to hash sensitive information, such as your login details in the cookie. As such, if the cookie gets stolen, the password will be next to impossible to read.
It’s important to note that salts and keys only work with the default WordPress browser sessions. If you’re using PHP sessions, which, for a variety of reasons is not recommended, data will not be hashed using the WordPress salts.
We mentioned earlier that this is not a perfect system. If a cookie gets stolen, whoever has the cookie can hijack the session and interact with the WordPress website as if they are you. Indeed, from WordPress’ point of view, they would be you.
Salts and keys are automatically generated during WordPress installation; however, they can be changed at any point. We’ll discuss where to find them and how to change them.
WordPress salts and keys
Each salt has a corresponding key, and both are required for the data hashing to take place. In reality, the keys are used to hash the data, and the salts add a second layer of hashing to ensure the data is extra safe.
Salts were introduced in WordPress 3.0, while different keys were introduced in different WordPress versions. Below is a list highlighting when each key and salt was introduced:
- WordPress 2.6: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY
- WordPress 2.7: NONCE_KEY
- WordPress 3.0: AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT
There are four different salt/key pairs in total. Each pair serves a different function than the other. Let’s look at each pair in a little more detail so that we can get a better understanding of what they actually do.
The four different pairs
Here are the four different key and salt pairs in use by WordPress.
This key and salt pair is used with the LOGGED_IN_KEY and LOGGED_IN_SALT to authorize you to make changes to WordPress (when not using SSL).
If you log in to the WordPress admin area using SSL/TLS, this key and salt pair will be used to sign your authorizing cookie, which allows you to make changes to the website.
The LOGGED_IN key and salt are used to create and sign a cookie for a user who’s logged in.
Nonces are a very interesting aspect of WordPress security. Nonces are keys that are added to the submit URL, protecting the website from attacks such as CSFR (Cross-Site Request Forgeries) attacks.
Where to find your WordPress salts
Salts and keys live in the WordPress wp-config.php file. You can access the file through SSH or FTP/SFTP, depending on your WordPress hosting provider. Some providers may even offer their own custom backend file manager with access to the configuration file.
You’ll find the wp-config.php file in the root directory of your WordPress website. Salts and keys are typically defined within the first section of the wp-config.php file, right after the database credentials, unless you moved the database credentials out of your wp-config.php file.
When to update your WordPress salts and keys
Generally speaking, there is no need ever to change your WordPress salts and keys. If there’s been a security breach, however, changing them might be a very good idea.
You may also choose to change them as a preventative security measure rather than out of any particular need. Just like regularly changing your password, changing your salts and keys can keep you one step ahead of malicious actors.
Do note that updating to new salts and keys will terminate all active sessions since this would invalidate all active cookies. Logged-in users will be logged out. Users will be able to log back in with their username, password, and 2FA just fine, so this is nothing to worry about but something you should be aware of.
How to use a WordPress salt generator
You can update the salts and keys of your WordPress sites in one of two ways – manually or by using a plugin.
In most cases, a plugin will generate and replace the salts for you. It only requires access to the WordPress admin area, making it the easiest of the two. The manual method is slightly more hands-on; however, even a not-so-technical person can get it done.
Do note that if you choose to change salts manually but have never done this before, using a testing environment first might be a good idea. This will allow you to gain confidence without risking breaking your site.
Using a plugin
The easiest way to change your WordPress salts is by using a plugin. The Salt Shaker plugin is perhaps the most known plugin for exchanging your WordPress salt keys with added features such as scheduled changes.
To change the salt keys at any point, simply click the Change Now button located in the Immediate Change section. This will update all salts straight away. Any logged-in users will need to log back in once the salts are updated.
If you do not want to use a plugin to update the salts, you can do so manually. Luckily, WordPress.org offers a key generator that outputs random strings for every salt and secret key in the site’s wp-config.php file. To manually change the salts on your WordPress website:
- Navigate to the WordPress salts generator (provided by WordPress)
- Open the wp-config.php file. (You can access the file through FTP/SFTP or SSH, so you’ll need to make sure you have the right login information to log in successfully. As we mentioned earlier, the file is plaintext, so you’ll be able to enter the new keys using a simple text editor such as Notepad or Vim).
- Copy the salts generated by the generator and overwrite the ones in the wp-config file.
WordPress salts are primarily used to hash browser cookies, which are essential for users to log in to WordPress. This makes them essential to the overall site’s security. Changing the salts can prevent security incidents and help you ensure you recover from certain breaches, such as those that happen through a cross-site scripting (XSS) attack.
Do remember that Salts play but a part in the larger WordPress security ecosystem. As such, it remains important to keep an eye on what’s happening on your WordPress sites. One way you can accomplish this is by installing WP Activity Log, which tracks and logs user and system activity on your WordPress websites.
The plugin offers a ton of additional functionality to help you ensure you’re always in the loop, including email and SMS notifications, a nifty user session module, and much more.
Get started with a free WP Activity Log 14-day trial.