One of the services we provide clients of our WP Total Defense packages is to regularly update their WordPress keys & salts. This is an important step to ensure the highest level of security, but why? Most WordPress admins and developers have never heard of these terms so how important is it, really? The following is a brief explanation plus a quick how-to showing you the manual method to change your WordPress keys & salts.
An Overview of WordPress Keys & Salts
Because the WordPress cookie contains that user’s login information, they must be encrypted to protect them, which is why WordPress includes these secret authentication keys and salts in your wp-config.php files. Think of them as extra passwords for your site that are very long, highly random and extremely complicated, making them nearly impossible to guess even with sophisticated hacking software.
For those of you who would like to dig in a bit more to the technical explanations of cookies, secret keys and salts, here are a few resources:
For Added Security, Change Your WordPress Keys & Salts Periodically
Another way to harden your WordPress site is to update your secret keys and salts on a regular basis. Even though the existing keys are extremely difficult for hackers to guess, the more layers of complexity you can put up as a defense, the more secure you site is overall.
Changing WordPress keys & salts automatically invalidates the credentials of anyone currently logged in, forcing them to log in again. This can be helpful if you have a user taking suspicious actions on your site while logged in. Updating the WordPress keys & salts will force them to log out and reauthenticate. If a user with a higher level of access has accidentally clicked “remember me” in the browser on a public computer, no unauthorized user will ever be able to access to the site using the information stored in that browser.
How to Manually Change Your WordPress Keys & Salts
As I mentioned in the beginning, our WP Total Defense clients don’t need to worry about changing their WordPress keys & salts. We automatically take care of this for you. For everyone else, here’s an explanation of how to make these changes yourself:
1. Before making changes to important core files on your site, always make a backup.
2. In your FTP client, find and open your wp-config.php file and locate the section called Authentication Unique Keys and Salts.
3. Use the official WordPress keys & salts generator from WordPress.org, then copy the new set of keys created by the generator.
4. Now simply paste the new keys into your wp-config.php file, replacing the old set, and save the file. That’s it!
WP Total Defense Gives You Total Piece of Mind Security
WordPress security is a never ending moving target and nothing brings piece of mind like having a team to professionally manage your security needs. Learn more about WP Total Defense and how we can help you.