It is a nightmare to wake up to a defaced website. The negative publicity, the legal implications, the loss of trust, the loss of money, are but a few of the pains associated with a compromised website. As a website owner, therefore, it is essential to play offense and when need defense to protect your website. With this article, you will learn all you need to protect your site with WordPress Salts and security keys.

Sucuri, one of the leading security firms in the World, released a report titled “Website hack trend 2018”, which shared details of their work on 25,466 infected websites and 4,426,795 cleaned files in 2018.

In the report, WordPress shoots skyscraper-high over other Content Management Systems as the most infected platform.

Infected websites platform distribution

It is clearly understandable why WordPress is a prize for hackers. It powers 35% of the websites on the internet today, compare that to the number two – Magento that is used by 1.5%.

With WordPress salts and security keys, you can protect your website from hack attempts.

What Are WordPress Salts And Security Keys?

A WordPress Security key is random text added to a password making it humanly impossible for some one to guess a password.

While a WordPress Salt key is a random text used to hash the security keys, thus tightening the security of the security keys. They are created using the security keys.

Security keys play an important rule, especially when it comes to cookies – those tiny-bits of code stored in a browser to track user interaction with a website.

WordPress uses two cookies to monitor user authentication on a website:

  • wordpress_logged_in_[hash]
  • wordpress_[hash]

The first cookie, wordpress_logged_in_[hash] is used sitewide to see if a visitor is logged in or not.

The second, wordpress_logged_in_[hash], is created when a user logins in – it is used in only the WordPress admin pages.

These cookies contain user biodata including passwords, ideally implying that all a hacker needs is access to the cookies either in the database or on the user’s browser. If the password is saved in plain text, then the hacker would have hit a jackpot.

To avoid that, WordPress uses the security keys to encrypt the passwords stored in the cookies on a user browser and passwords saved in the database.

This way WordPress Salt and security keys protect the logged in users and commenters by ensuring passwords are hashed.

The WordPress salts and security keys are found in the wp-config.php file located in the root of the public directory of your website.

It has four security keys (highlighted) and four salt keys.

WordPress security keys and salt keys

On a fresh copy of the WordPress files, the wp-config.php file does not have any salt keys.

Enter WordPress security keys and salt keys in wp-config file

Making sense of the security keys.

  • AUTH_KEY – used for signing cookies on non-SSL connections.
  • SECURE_AUTH_KEY – creates a cookie for an authenticated user.
  • LOGGED_IN_KEY – used to create a cookie for a logged-in user.
  • NONCE_KEY – used to sign the nonce key– an arbitrary number that can be used just once in a cryptographic communication. It used in WordPress to make it harder for a password to crack.

The salt keys, on the other hand, hash or secure their security key counterparts. That is; AUTH_SALT vs AUTH_KEY, SECURE_AUTH_SALT vs SECURE_AUTH_KEY, LOGGED_IN_SALT vs LOGGED_IN_KEY, and NONCE_SALT vs NONCE_KEY.

How to Create or Change WordPress Salt And Security Keys?

Note that changing the WordPress Salt and Security keys invalidate all existing cookies, forcing everyone to login again.

Besides that, it changing WordPress salt and security keys are painless.

Manually create or change WordPress Salt and security keys

You can create a 60+ character of random text or phrase or use the WordPress key generator, then add it to the wp-config.php file.

The wp-config.php file is found in the public_html folder for cPanel.

Edit the file, and don’t forget to save your changes.

Alternatively, you can use a WordPress security plugin, so you don’t need to mess with code.

Use a plugin to create or change WordPress Salt and security keys

iThemes Security – formerly, Better WordPress security, is a plugin I use on almost all my client sites. It is a no-nonsense, a must-have plugin that hardens a WordPress website in 30 different ways. One of those ways is updating WordPress Salt and security keys.

First things first. Install and activate the iThemes security plugin on your WordPress website.

Once it is activated, on the left menu, click Security, then search for salts. Click Configure Settings if you are not automatically given the option to configure the Salt settings.

Add or manage the WordPress Salts and Security keys using iThemes Security plugin

Now click the checkbox to Change WordPress Salts. Then save your settings.

Change WordPress Salts

That’s about it. Remember that you and everyone else logged in will be logged out.


A hack looms if you slack at protecting your website.

Do yourself a favor and stay vigilant. If you think your site has been compromised, change the WordPress Salts and Security Keys. If it is a new website, add WordPress Salts and Security Keys.

That’s one of the may ways to secure your website, and avoid being a statistic.

Furthermore, make sure you always have a updated copy of your website and store it somewhere offsite.