WordPress GuideSecurity → Salt Keys

WordPress salts: what they are and how to change them

wordpress salts

WordPress salts are random strings of characters stored in your wp-config.php file that WordPress uses to encrypt the cookies it creates when you log in.

They work with WordPress security keys to make your login information difficult for attackers to read or forge, protecting your site from session hijacking and various cookie-based attacks.

If you’ve never thought about WordPress salts, your site is probably fine. But they’re worth understanding, especially if you’ve recently experienced a security incident or accidentally exposed your wp-config.php file.

This guide covers:

  • What WordPress salts and security keys are.
  • How they work behind the scenes.
  • Where to find them in your WordPress installation.
  • When you should and shouldn’t change them.
  • Three different methods to update them (manual, plugin, and WP-CLI).
  • How they fit into broader WordPress security practices.

Get fast, reliable hosting for WordPress

Power your site with the industry’s fastest, most optimized WordPress hosting

What are WordPress salts?

WordPress salts are randomly-generated strings of characters used as cryptographic inputs when WordPress hashes authentication data. Each WordPress installation has four salts, each paired with a corresponding security key. When you log in to your site, WordPress uses these together to create the cookies that keep you authenticated.

When you enter your password, WordPress doesn’t store your actual password in the cookie or session data. Instead, it combines your authentication data with the salts and security keys to produce a hashed value that’s stored in your browser cookies. Without the right salt, the same password would produce a different hash on a different site, which means even if someone steals your authentication cookie, they can’t reverse-engineer your password from it.

A typical WordPress salt looks something like this:

define('AUTH_SALT', 'eZyT)-Naw]F8CwA*VaW#q*|.)g@o}||wf~@C-YSt}(dh_r6EbI#A,y|nU2{B#JBW');

The string itself is meaningless to humans. To WordPress, it’s a critical piece of the puzzle that makes your authentication system work securely.

Salts vs. security keys

People often use ‘WordPress salts’ and ‘WordPress security keys’ interchangeably, but they’re technically two different things that work together:

  • Security keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY) are the primary cryptographic constants used for various authentication scenarios.
  • Salts (AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT) are paired with each key to add randomness to the hashing process.
wordpress salts

Each pair handles a specific authentication purpose:

  • AUTH is used to authenticate the user when not over SSL.
  • SECURE_AUTH is used when the site is accessed over SSL.
  • LOGGED_IN is used to check if a user is logged in.
  • NONCE is used for WordPress nonces (one-time-use tokens that protect against certain types of attacks).

In total, there are eight constants in your wp-config.php file related to this system: four keys and four salts. The ‘salts’ shorthand often refers to all eight collectively since they work as a unit.

How WordPress salts actually work

To understand why salts matter, it helps to know what happens when you log in.

Here’s the simplified version of the login process:

  1. You enter your username and password on wp-login.php.
  2. WordPress hashes the password you entered and compares it to the hashed password stored in the database. If they match, you’re authenticated.
  3. WordPress creates a session and generates an authentication cookie. The cookie includes your username, an expiration time, and a hash that’s calculated using your salts and security keys.
  4. The cookie is stored in your browser. Every subsequent request includes the cookie, so WordPress knows you’re logged in.

The salt’s role is in step 3. The hash included in the cookie is calculated from AUTH_KEY, AUTH_SALT, and your authentication data. Without the right salt, an attacker who somehow got hold of the cookie couldn’t forge a valid one, because they’d need the salt to produce the matching hash.

Salts also matter for password storage. WordPress doesn’t store passwords in plaintext (the actual password text). Instead, it stores a hashed version using the wp_generate_password() function and a hashing algorithm. The salts add randomness to this hashing process, so even if two users have the same password, the stored hashes will look completely different.

Without salts, WordPress would still hash passwords, but the hashes would be much easier to crack using precomputed hash tables (commonly called rainbow tables). The salts make those attacks impractical.

Where are WordPress salts located?

WordPress salts are stored in the wp-config.php file, which lives in the root directory of your WordPress installation (the same folder that contains wp-admin/, wp-content/, and wp-includes/).

To find your wp-config.php file:

  1. Connect to your site via FTP, SFTP, or your hosting provider’s file manager.
  2. Navigate to the root directory of your WordPress installation (often called public_html, www, or the name of your site).
  3. Look for wp-config.php.
/**
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

When should you change WordPress salts?

This is where current best practice has shifted from what older guides recommend.

When should you change WordPress salts?

Change your WordPress salts when there’s a specific reason to believe the existing ones may no longer be private:

There is no strict rule for how often you should change your salt keys, but doing so periodically, such as every six months to a year, is advisable.

When NOT to change salts

Older WordPress security guides recommend rotating salts on a fixed schedule (every six months, every year, etc.). This advice is outdated, and current security thinking is that calendar-based rotation provides no meaningful security benefit while creating support issues.

Specifically, changing salts on a fixed schedule:

Rotate salts only when trust is broken. If nothing has been exposed and your site is healthy, your time is better spent on plugin updates, backups, login protection, two-factor authentication, and malware scanning.

How to change WordPress salts: 3 methods

There are three reliable ways to update your WordPress salts. Pick the one that fits your situation best.

Method 1: Manually update wp-config.php

The manual method gives you direct control and works on any WordPress installation. You’ll need FTP, SFTP, or file manager access.

Step 1: Generate new salts

Go to the WordPress.org secret-key service in your browser. This URL generates a fresh set of eight salts and keys formatted for direct paste into wp-config.php. The output looks like this:

define('AUTH_KEY',         '|9X(zM5p..long random string..>3v#');
define('SECURE_AUTH_KEY',  ':kT9w$Q..long random string..lLpN#');
... and so on for all eight values

Each time you visit the URL, you get a fresh, unique set of salts. Don’t reuse the same set across multiple sites or someone else’s published example.

Step 2: Back up wp-config.php

Before editing, download a copy of your current wp-config.php to your local computer. If something goes wrong, you can restore it.

Step 3: Open wp-config.php for editing

Use your hosting control panel’s file editor, FTP, or SFTP to open the file. The file is in your WordPress root directory.

Step 4: Replace the old salts

Find the Authentication Unique Keys and Salts section. Delete the existing eight define() lines (the entire block between the section comment and the next section). Paste in the new eight lines you generated in Step 1.

Step 5: Save the file

Save your changes and upload the file back to the server (if you downloaded it for editing).

Step 6: Test

You’ll be logged out of WordPress automatically (the salt change invalidates your existing session). Log back in to confirm everything works. If you can log in, the salt rotation was successful.

If you can’t log in, restore your backup of wp-config.php and try again. Common causes of issues: stray spaces or quote marks in the pasted values, missing line endings, or accidentally deleting other parts of the file.

Method 2: Use a plugin

If you’d rather not edit wp-config.php manually, the Salt Shaker plugin can rotate salts from inside the WordPress dashboard.

Here are the steps to use it:

  • From your WordPress admin dashboard, go to Plugins > Add New.
  • Search for ‘Salt Shaker’.
  • Install and activate the plugin.
  • Go to Tools > Salt Shaker.
  • Click Change WordPress Salts.
  • The plugin updates wp-config.php for you, and you’ll be logged out.

Salt Shaker also includes an option to schedule automatic salt rotation. Given the current best practice (rotate when trust is broken rather than on a schedule), this feature is worth understanding before enabling.

Scheduled rotation can log users out at awkward times and may break plugin integrations that rely on the salt values for encryption. For most sites, manual rotation when needed is the better approach.

If your site has been compromised, don’t use a plugin running inside the compromised WordPress install to rotate salts. Clean the site first, then handle the rotation manually or via WP-CLI.

Method 3: Use WP-CLI

For sites with command-line access (most managed WordPress hosting, VPS, or dedicated servers), WP-CLI provides the cleanest way to rotate salts:

wp config shuffle-salts

That single command regenerates all eight keys, salts, and updates wp-config.php in place. WP-CLI uses the same WordPress.org secret-key service under the hood, so the resulting salts are cryptographically sound.

WP-CLI is particularly useful when you’re working on a site you’ve just secured after a breach, since you can run it without going through the dashboard. It also works in deployment scripts if you’re automating site setup.

How WordPress salts fit into WordPress security

Changing your salts is one piece of WordPress security. It addresses a specific concern (cookie-based attacks and stolen authentication data), but it doesn’t help with the issues that are actually more common, like outdated plugins with known vulnerabilities, weak admin passwords, or brute force attacks on the login page.

For broader WordPress security, the practical priorities are:

kadence security

How Kadence Security helps

Kadence Security handles most of the security vectors that matter for WordPress sites in one plugin. For the broader context around salts and authentication security, Kadence Security includes:

The last point is particularly relevant for salts: if an attacker were to modify your wp-config.php to inject their own salt values (which would let them forge authentication cookies), Kadence Security would detect the change and alert you within hours rather than weeks.

For most WordPress sites, the combination of Kadence Security and managed WordPress hosting is enough to keep the security issues that actually compromise sites under control. Salt rotation is then something you do when needed (after a breach, after exposure) rather than as a routine maintenance task.

FAQs about WordPress salts

Common questions about WordPress salts that come up beyond what’s covered above.

What is WP Salt PHP?

The reference to ‘WP Salt PHP’ is usually about the WordPress core function wp_salt(), which is the internal function WordPress uses to retrieve or generate salts during authentication. You don’t typically interact with this function directly; it runs automatically as part of the WordPress login flow.

What hash does WordPress use for passwords?

WordPress uses bcrypt for password hashing as of WordPress 6.8 (released in April 2025). Before that, WordPress used phpass (PHP Password Hashing Framework) with portable hashes. Both algorithms are designed to be computationally expensive, which makes brute-force cracking of stored passwords impractical even if an attacker gains database access. The salts are part of the broader system that makes this hashing effective.

Can changing WordPress salts break my site?

If done correctly, no. The risks come from making mistakes during the wp-config.php edit: stray characters, missing quotes, accidentally deleting other configuration values, or corrupting the file. Always back up wp-config.php before editing. If your site stops working after a salt change, restoring the backup will get you back to a working state, and you can try again.

Some plugins use the WordPress salts when encrypting their own data (API keys, integration tokens, etc.). For these plugins, you may need to reconfigure the affected settings after a salt rotation. Most well-designed plugins handle this gracefully, but it’s worth being aware of if your site relies on integrations with stored credentials.

Get to grips with WordPress salts

Additional resources

Comprehensive guide to securing WordPress with ModSecurity

This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.

WordPress malware removal techniques to try →

Learn how to remove malware from your WordPress site and protect it from future threats.

Why security matters for WordPress enterprise hosting

Use the blog as your guide to attacks to watch out for, security best practices, and steps to improve the WordPress protection you already have.

Trust us to help you choose the ideal hosting solution

Loading form…