When it comes to protecting your WordPress website, the login screen is an important line of defense. A significant part of this is making sure your password is secure, which makes it far less likely that attackers will be able to crack it and gain access.
WordPress uses something called βsaltβ keys to protect your passwords. With these keys, your password is kept safe, so attackers canβt use them even if they gain access to your data. In this article, weβre going to talk about what salt keys are and how WordPress uses them. Weβll then teach you two ways to change yours, including using the Salt Shaker plugin.
Letβs get to work!
What Salt Keys Are (And How They Work in WordPress)

WordPress salt keys help protect your password from attackers.
Salt keys are cryptographic elements used to βhashβ data in order to secure it. In fact, most serious platforms and systems use similar mechanisms to protect sensitive data. The process works by using the salt keys to encrypt your password when you save it in WordPress. This way, attackers canβt see your passwords in plaintext even if they somehow gain access to your database.
Salt keys are also used to sign your websiteβs cookies. This stops malicious actors from being able to gain access even if they can take over your cookies. All of this happens in the background, and there are zero reasons why youβd ever need to share your WordPress salt keys with a third party. If someone were to get their hands on them, theyβd might be able to use them in order to access your passwords and crack your website.
For this reason, we recommend you change your WordPress salt keys from time to time to mitigate risk. However, WordPress doesnβt include any features that enable you to do this out of the box, which means you need to know how do it on your own. Letβs take a look at how you can do this now.
How to Change Your WordPress Salt Keys (And Why You Should)
How often you change your WordPress salt keys depends on you. Once or twice every year should be more than enough to keep things safe. However, if you want to be extra careful, you might want to change your keys every couple of months. Itβs important to note that every time your salt keys are changed, all user accounts will be logged out, including your own. This can be a minor hassle, but it helps protect you in case an account has been compromised due to cookies.
Weβre now going to show you two methods you could use to update your salt keys. You can either do it manually by editing a WordPress core file, or use a plugin to automate the process. Either way, we recommend thatΒ youΒ create a backupΒ of your site beforehand, just in case.
Change Your Salt Keys Manually
WordPress stores your salt keys as strings of numbers, letters, and symbols within theΒ wp-config.phpΒ file. To change them manually, youβll need to update them in this file. To do this, youβll need to log into your website via FTP, using a client such as FileZilla. Once youβre in, navigate to your WordPressΒ rootΒ folder, which is usually namedΒ public_html,Β www,Β or the same as your website:
Inside this folder, youβll find theΒ wp-config.phpΒ file. Right-click on it and choose the option that saysΒ View/Edit. This will download a copy of the file to your computer and open it using your default text editor. Use your text editorβs search feature to locate the line that reads βAuthentication Unique Keys and Saltsβ, as seen below:
There are some instructions in the form of comments on how to update your keys at the top. Right below, youβll find eight lines including all your security keys and salts. To replace them, youβll need to generate a new set of keys, which you can do through the WordPress API. Just visit this link and the platform will generate a new set of unique keys you can use, like this:
All you have to do now is take your new keys and replace your existing ones within theΒ wp-config.phpΒ file. You can either copy and paste the keys one by one, or replace the entire section. If you do this correctly, your websiteβs functionality wonβt be affected by this change. The only change youβll notice is youβll need to log into your account again once you update your salts, as will all your users.
Once youβve replaced your keys, save the changes to theΒ wp-config.phpΒ file and close it. FileZilla will now ask you if you want to replace your existingΒ wp-config.phpΒ file with the version you just edited. Choose theΒ YesΒ option, after which you can go right ahead and log back into your website.
Use the Salt Shaker Plugin
TheΒ Salt Shaker plugin can help you simplify the process even further. With this plugin, you can automate the entire process of changing your salt keys. Furthermore, the plugin even enables you to schedule automatic changes to your salt keys on a regular basis.
To use the plugin, youβll need to install and activate it first. Once thatβs done, a newΒ Salt ShakerΒ option will show up in your dashboard under theΒ SettingsΒ tab. Inside, youβll find two options. The first of these enables you to schedule changes to your WordPress salt keys. You can choose to switch them daily, weekly, or monthly:
In most cases, daily changes are overkill since youβd be forcing all your users to log out. As such, we only recommend daily changes if your website isnβt open for registration and you want it to be as secure as possible. For regular scenarios, we think monthly changes are the best option.
Once you set your schedule, the plugin will automatically update your salt keys at the set interval. If you donβt want to automate the process, or if you want to change them right away, you can instead click on theΒ Change NowΒ button.
This will immediately change your salt keys, after which WordPress will prompt you to log back in. As with the manual method, you wonβt notice any difference after doing this and youβll be able to use your dashboard as normal.
Conclusion
Storing passwords in plaintext is always a bad idea, and thatβs where salt keys come in. WordPress uses unique salt keys to secure your passwords, which stop attackers from accessing your passwords even if they were to gain access to your database. You can ensure that these are even more secure by changing them regularly.
There are two ways you can go about changing your WordPress salt keys:
- Change your keys manually by modifying yourΒ wp-config.phpΒ file.
- Use the Salt Shaker plugin.
Do you have any questions about how to update your WordPress salt keys? Letβs talk about them in the comments section below!
Article image thumbnail by Sin314 / shutterstock.com
Please explain why I need to change my salts?
If I have very secured passwords, then changing them does what exactly? If I don’t, then that is the issue.
If you are telling me someone is hammering my system for years trying to crack the pass, then the need to monitoring.
G%7_2fVh#*5{ brute force medium sized botnet 2 thousand years
I don’t change the locks on my house or car yearly, so why my website?
It’s too bad that you can’t set it to run at a certain time of day. It would be nice to know that it doesn’t stand the risk of knocking a client offline while they’re in the middle of making edits/updates.
I’d seen mentions of it in the iThemes Security plugin as well, with the option of changing them in there. Now that I know what they’re used for I’m more confident to change them from within their plugin rather than install another one like Salt Shaker. Thanks for the article.
Did anybody make sure there is no backdoor for NSA and the likeΓ
The NSA backdoor nowadays is inside your CPU and is called “Spectre” and “Meltdown”, or at least “UEFI-BIOS”.
Excellent article. I haven’t heard about Salt keys in security articles for a very long time, and it was good to be reminded of this WordPress feature and the need to to periodically change them. I didn’t know about the plug-in, so thanks.
Great article! Very informative. I’m going to give the plugin a shot for all my clients π Thanks, John!