What Are WordPress Salts and Why You Should Use Them

If you’re a WordPress user, protecting your website from security breaches should be a top priority. Due to its inherent weaknesses and popularity, WordPress is the most targeted CMS. You can lose your data, website, and income if your security gets compromised.

One of the most important factors in securing a website is making sure that your passwords are strong enough. WordPress salts and security keys can add an extra layer of protection to your site’s login password, making it undetectable to hackers.

This article will contain an in-depth explanation of what WordPress salts and security keys are, how they work, whether or not you should change them, and how to do so.

Download all in one WordPress cheat sheet

What Are WordPress Salt Keys And How Do They Work?

WordPress salts or secret keys are random strings of code containing eight variables that encrypt your login details.

They’re added to your password to secure your WordPress login credentials further. This ensures your passwords are immune to brute-force attacks and similar hacking methods.

When logging into the Dashboard, a number of browser cookies containing WordPress login information –  namely, wordpress_[hash] and wordpress_logged_in_[hash] – are created and stored inside your computer. This means that if a hacker can access your web browser’s cookies, they can extract your passwords.

Fortunately, with security keys and salts, all your login details are hashed, meaning that they are encrypted using a sequence of random strings. These strings are visible while the actual password isn’t.

Every time you input sensitive data on WordPress, such as your username or email address and password, salts will regenerate the plain text used as your password into a randomly encrypted text.

For example, if your password is “yourpassword”, using WordPress salts, it will be stored as random characters like “SG^&%@KD>>:_+$#%HBJH**6#jkj”. Attackers will not be able to decipher your actual password even if they gain access to your site’s code.

WordPress security keys and salts are all stored in the public_html -> wp-config.php file of your WordPress site. To access the file, connect with FTP or use the File Manager on your hosting account.

Here is how salts and keys look like in the wp-config.php file while opened on the hPanel File Manager:

WP salts and secret keys example found in the wp-config.php file.

They are located under Authentication Unique Keys and Salts and a brief description which includes a link to the key generator. The first four lines of code contain your security keys, and the rest are your salts.

Note that you should never share your WordPress salts and authentication keys with other people to avoid security risks – just like you wouldn’t share your password.

Why You Should Change Your Security Keys and WP Salts?

Even though having static WordPress security keys and salts will provide you with enough protection, you might need to consider changing them regularly. This will improve the security of your WordPress website even further.

When the WordPress security keys and salts are changed, all users will automatically be logged out. This is especially useful if you frequently log into your WordPress site on multiple devices or browsers since the risk of having your login details compromised is even higher.

Changing your WordPress salts and authentication keys regularly is also an effective way to eliminate hackers’ access to your site’s back-end. You have the option to lock them out by changing the salt keys and password.

There are two methods to alter your WordPress security keys and salts – manually and automatically.

How to Change WordPress Salts Manually

Changing your WordPress salts manually involves editing your wp-config.php file. You can access the file using FTP or by opening up the File Manager on your WordPress hosting account.

Keep in mind that the process of changing your WordPress keys manually can be risky and more time-consuming. If you’re not careful, you can damage the website.

Another downside to this method is that you can’t automate the salts and keys renewal periodically – you will need to change them yourself from time to time.

With that being said, this manual method is still worth knowing, especially when you can’t access your WordPress dashboard.

In the following tutorial, we will be using the File Manager on Hostinger’s hPanel. However, the steps should be similar no matter which hosting provider or control panel you use.

  1. Log into hPanel and select File Manager.
The hPanel's hosting dashboard, highlighting the File manager option
  1. Navigate to the public_html folder and open the wp-config.php file.
The wp-config.php file in Hostinger file manager
  1. Find the Authentication Unique Keys and Salts line. Under it, you’ll find a link to generate new WordPress security keys and salts. Copy and paste this link in another tab.
The WordPress salts and secret keys generation link location in the wp-config.php file.
  1. Feel free to refresh the screen several times to regenerate the code. Then, select all the text and right-click to copy all the new WordPress salts and security keys from the new tab.
The WordPress salts keys right-click dropdown menu
  1. Delete the old WordPress salts and security keys and paste the new ones.
The new WordPress salts and security keys in the wp-config.php file
  1. Click Save & Close.

Alternatively, you can simply use a plugin to change your WordPress security keys and salts without manually editing your site’s wp-config.php file.

How to Change WordPress Salts Using a Plugin

Salt Shaker is a free security plugin used to automate the process of regenerating your WordPress salt keys. No need to manually edit the code in your wp-config.php file – simply alter your WordPress salts and security keys right from your dashboard.

In addition to making WordPress security keys and salts changes more straightforward, the Salt Shaker tool also allows website users to set automated schedules for these changes.

You have the option to choose whether to schedule the changes on a daily, weekly, monthly, quarterly, or biannual basis.

Once you have installed the Salt Shaker plugin on your WordPress site, activate it and navigate to Tools -> Salt Shaker to configure it.

Accessing the Salt Shaker plugin from the WordPress Dashboard.

To make Salt Shaker change your WordPress salts and keys periodically, tick Change WP Keys and Salts on <…> Basis and choose which interval you prefer from the drop-down menu.

To make Salt Shaker change your WordPress salts and keys immediately, simply select Change Now.

It’s worth noting that iThemes Security – a popular all-in-one WordPress security plugin – is also capable of automatically changing your salts and keys. However, even though the plugin allows you to change your salts and keys immediately, it doesn’t have a scheduling feature like Salt Shaker.


WordPress salts and security keys offer added protection to your password, as they encrypt it into a random string of code, making it unreadable to hackers.

To add even more protection, you can change your WordPress salts and keys using two methods – manual and automatic. The manual method requires you to edit your WordPress website’s wp-config.php file, while the automatic method involves configuring the Salt Shaker plugin.

We hope this article helps increase the security of your WordPress website.

The author

Hasna A.

Hasna is passionate about tech, culture, and the written word. She hopes to create content that helps people succeed on the web. When not writing, rearranging, or polishing sentences, she enjoys live music and overanalyzing movies.