Chapter 6: What, Why & How of WP Salts & Security Keys

When it comes to protecting your WordPress website, the login screen is an important line of defense.

A significant part of this is making sure your password is secure, which makes it far less likely that attackers will be able to crack it and gain access.

Despite the measures you take to implement good login practices, leaving your site’s security to users is not a good idea.

This is why WordPress uses a set of security keys or secret keys.

Let’s find out about them…

6.1 What Are WordPress Security Keys & Salts?

WordPress Security Keys is a set of random variables that improve encryption of information stored in the user’s cookies.

There are a total of four security keys:

  • AUTH_KEY
  • SECURE_AUTH_KEY
  • LOGGED_IN_KEY
  • NONCE_KEY

Salt keys are cryptographic elements used to ‘hash’ data in order to secure it.

In fact, most serious platforms and systems use similar mechanisms to protect sensitive data.

The process works by using the salt keys to encrypt your password when you save it in WordPress.

This way, attackers can’t see your passwords in plaintext even if they somehow gain access to your database.

Salt keys are also used to sign your website’s cookies.

This stops malicious actors from being able to gain access even if they can take over your cookies.

All of this happens in the background, and there are zero reasons why you’d ever need to share your WordPress salt keys with a third party.

If someone were to get their hands on them, they’d might be able to use them in order to access your passwords and crack your website.

You can find both WP salts and security keys in the wpconfig.php file.

WordPress generates four security keys and salts in the wp-config.php file.

After a fresh WordPress install, this is how the WordPress secret keys and salts look:

  • define(‘AUTH_KEY’, ‘put your unique phrase here’);
  • define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
  • define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
  • define(‘NONCE_KEY’, ‘put your unique phrase here’);
  • define(‘AUTH_SALT’, ‘put your unique phrase here’);
  • define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
  • define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
  • define(‘NONCE_SALT’, ‘put your unique phrase here’);

You need to generate security keys and WordPress salts and replace the ‘put your unique phrase here’ with random variables you just generated.

6.2 How Does WordPress Salts and Security Keys Work?

Unlike most of other websites platforms, WordPress does not use the PHP sessions to keep track of their users.

To verify an identity of logged in users as well as commenters, WordPress usually uses the cookies or information that are stored in your browser’s history.

When you log in to your Dashboard multiple cookies are created and saved. Usually, the two cookies that are created are:

  • wordpress_[hash]
  • wordpress_logged_in_[hash]

The first one is used only when you are logged onto your Dashboard while the second cookie is used throughout WordPress to ensure whether or not you are logged in.

The details you use to log in are hashed (assigned cryptic values) using the random variables which are then specified in the WordPress security keys.

This, in turn, strengthens and makes it almost impossible for anyone to guess your password should your cookies be stolen.

6.3 How to Use WordPress Security Keys and Salts?

Usually, when your WordPress websites are self-hosted, the security keys are not pre-defined.

Instead, you might need to generate and add them yourself.

But don’t worry, the process is quite simple and straightforward.

Generally, there are two ways you can configure the secret key.

We will be discussing both methods for your convenience so you can choose whichever method you prefer.

  • Manually change the WordPress Security Keys and Salts
  • Using a WordPress Plugin

Method 1: Manually Changing the Secret Keys & Salts!

Follow the steps below as a guideline and secure your WordPress profile and website!

You can easily change WordPress security keys and salts.

The WordPress Foundation provides a WordPress key generator that creates random values for secret keys and salts.

Visit the following link: https://api.wordpress.org/secret-key/1.1/salt/

Copy the values you get from the link and then paste it in your wp-config file.

Step 1: To access the wp-config.php, open your web host account and go cPanel. Select File Manager, and it’ll take you to a page that looks somewhat like this:

Step 2: On the left-hand side, you can see the public_html folder where you’ll find the wp-config file.

Step 3: Right-click on the file and select Edit.

Replace the ‘put your unique phrase here’ with the variables you just generated.

And that’s it. That’s how you generate and insert unique keys and WordPress salts on your website.

Method 2: Using a Plugin

For explaining this method more thoroughly we will be using the help of the plugin- Salt Shaker. A Free WordPress security plugin, Salt Shaker is also extremely user-friendly! So to start off the process Install and Activate the plugin.

Once the plugin is activated and ready to use, you will find a newly added menu on the Tools section as Salt Shaker.

After you click on the menu, you will be redirected to a new page that features the option to set a schedule for changing the SALT keys.

Go ahead and tick off the option to Change WP Keys and Salts.

You will also see the option to either choose a Daily, Weekly or Monthly basis to schedule the change of keys and salts.

Select the option you prefer and your settings are saved.

In case you want to change the WordPress security keys and salts immediately, you can also see an option for Change Now on the bottom of the page.

Note that once you change the keys you will be automatically logged out of your WordPress.

Conclusion:

Storing passwords in plaintext is always a bad idea, and that’s where salt keys come in.

WordPress uses unique salt keys to secure your passwords, which stop attackers from accessing your passwords even if they were to gain access to your database.

You can ensure that these are even more secure by changing them regularly.