What Are SALT Keys and How Do You Change Them?

When it comes to website security, your login page is one of your first lines of defense. Most people (and bots) who try and break into your site will do so through this one page.

The strength of your password is the number-one factor that determines what kind of defense your login page puts up. Stronger passwords are harder for attackers to crack. Plus, you can further protect your password from hackers by using SALT keys. 

In this article, we’ll discuss what SALT keys are and why you should use them on your WordPress site. We’ll then show you how to generate new SALT keys, both manually and by using a plugin. Let’s get started!

What are SALT Keys in WordPress?

SALT keys are a cryptographic tool used to secure your website’s login page by ‘hashing’ your password. This scrambles the password into a meaningless string of characters that’s even harder for attackers to crack.

WordPress comes with salt keys by default, and they are located in your site’s wp-config.php file. These salts are random strings of data that protect the four security keys WordPress uses. 

Why Use SALT Keys in WordPress?

When you log in to WordPress, you have the option to remain logged in long-term. To achieve this, WordPress stores your login data in cookies instead of in a PHP session. Malicious individuals can hijack your cookies through various means, leaving your website vulnerable. 

To make it harder for attackers to use cookie data, you can take advantage of SALT keys. WordPress SALT keys encrypt your password, making it harder to guess. What’s more, it’s next to impossible for hackers to simply ‘unscramble’ the result in order to get at the original password.

How Do I Change My SALT Keys?

While SALT keys make passwords harder to crack, they are not invincible. This is why you should change your SALT keys periodically, making it even harder for attackers to break them. To change your website’s SALT keys, you can use a plugin or a manual method.

How to Generate New SALT Keys: 2 Methods

To change your SALT keys, you’ll need to generate new keys first. The easiest method is to use a plugin, but you can also generate salts manually. Below, we’ll look at both techniques.

Method 1: Using a Plugin

Step 1: Download the Plugin

Salt Shaker is a free WordPress plugin that enables you to automatically generate and change WordPress salt keys:

You can download and activate the plugin via the WordPress Plugin Directory, or in your dashboard’s Plugins page.

Step 2: Enable Automatic SALT Changes

After activating the plugin, navigate to Tools > Salt Shaker, where you will find all of its settings:

You will need to check the box to automate SALT key generation and changes.

Step 3: Select the Change Frequency

After enabling automatic SALT changes, you’ll need to choose their frequency. Using the drop-down menu, select how often you want the SALT keys to update: 

The frequency you choose will depend on your website’s needs. The more sensitive data you handle, the more often you’ll want your salt keys to change. However, daily changes are generally considered overkill for most websites.  

Step 4: Save Your Changes

After choosing your frequency, click on the Change Now button. This will save your settings and start the automated process.

To change your SALT keys only once, you should first deselect the checkbox. You can then hit  the Change Now button.

Method 2: Manually Changing Your Keys

Step 1: Navigate to the SALT keys API

If you don’t want to use a plugin, you can manually generate and change your SALT keys instead. To do this, you’ll use the WordPress SALT keys API to generate new keys for your website:

All the keys you need will be automatically generated. You’ll just need to replace them in the wp-config.php file. You can copy the entire generated code, or copy each key individually.

Step 2: Open Your wp-config.php File

To replace your SALT keys, you will need to open the wp-config.php file for your website. Remember to back up your site before doing this, and use a staging environment.

You can use a File Transfer Protocol (FTP) client to navigate to the root directory of your website, and locate wp-config.php. When opening the file, you should use the View/Edit option in your FTP client. 

Step 3: Replace the SALT Keys

After opening your wp-config.php file, you’ll need to locate the “Authentication Unique Keys and Salts” section:

The SALT keys in the file are your current ones, and you need to replace them with your newly-generated keys. When pasting in the new keys, be careful to not change any other parts of this file. 

Step 4: Save Your Changes

After replacing the SALT keys, you’ll need to save your changes to the file and close it. Your FTP client will generally ask if you want to replace your existing file with the new version. Choose “Yes”, and you’re all done.

How often should I change my SALT Keys?

WordPress SALT keys add an extra layer of protection to your passwords, but attackers can crack them given enough time. You can halt any progress they have made by changing your salt keys periodically.

The frequency of this change will vary depending on the traffic to your website. Daily and weekly changes are generally considered too frequent for most websites. On the other hand, biannual or annual changes may be too infrequent if you have a high-traffic website. The sweet spot is to change your SALT keys every month or quarter.

Keep Your Site Safe With WP Engine

WordPress SALT keys are an invaluable addition to your website. However, they are not invincible, and changing them provides you with the best protection. You can change these keys manually using the WordPress SecretKeys API, or with a plugin like Salt Shaker.

You can also boost the security of your website by using the right web host. This leaves you with more time to focus on website development. WP Engine can offer you this advantage and more. Check out our plans and resources if you want to create an excellent digital experience!

Get started.

Build faster, protect your brand, and grow your business with a WordPress platform built to power remarkable online experiences.