Updating WordPress Keys & Salts for Better Security

One of the services we provide clients of our WP Total Defense packages is to regularly update their WordPress keys & salts. This is an important step to ensure the highest level of security, but why? Most WordPress admins and developers have never heard of these terms so how important is it, really? The following is a brief explanation plus a quick how-to showing you the manual method to change your WordPress keys & salts.

An Overview of WordPress Keys & Salts

The first step to understanding WordPress keys & salts is to understand cookies and how they’re used. WordPress uses cookies , which is a small text file of information stored in your browser, to verify and store the identity of logged in users. Every time a user logs into your website, a cookie file is stored or updated in their browser.

Because the WordPress cookie contains that user’s login information, they must be encrypted to protect them, which is why WordPress includes these secret authentication keys and salts in your wp-config.php files. Think of them as extra passwords for your site that are very long, highly random and extremely complicated, making them nearly impossible to guess even with sophisticated hacking software.

For those of you who would like to dig in a bit more to the technical explanations of cookies, secret keys and salts, here are a few resources:

For Added Security, Change Your WordPress Keys & Salts Periodically

Another way to harden your WordPress site is to update your secret keys and salts on a regular basis. Even though the existing keys are extremely difficult for hackers to guess, the more layers of complexity you can put up as a defense, the more secure you site is overall.

Changing WordPress keys & salts automatically invalidates the credentials of anyone currently logged in, forcing them to log in again. This can be helpful if you have a user taking suspicious actions on your site while logged in. Updating the WordPress keys & salts will force them to log out and reauthenticate. If a user with a higher level of access has accidentally clicked “remember me” in the browser on a public computer, no unauthorized user will ever be able to access to the site using the information stored in that browser.

How to Manually Change Your WordPress Keys & Salts

As I mentioned in the beginning, our WP Total Defense clients don’t need to worry about changing their WordPress keys & salts. We automatically take care of this for you. For everyone else, here’s an explanation of how to make these changes yourself:

1. Before making changes to important core files on your site, always make a backup.

2. In your FTP client, find and open your wp-config.php file and locate the section called Authentication Unique Keys and Salts.

WordPress keys and salts

Find this section in your wp-config.php file. Image provided by iThemes Security, one of the security tools in our arsenal of security provided by WP Total Defense.

3. Use the official WordPress keys & salts generator from WordPress.org, then copy the new set of keys created by the generator.

WordPress Keys and Salts Generator

Copy this set of keys from the generator and replace the set in your wp-config.php file. Image provided by iThemes Security, one of the security tools in our arsenal of security provided by WP Total Defense.

4. Now simply paste the new keys into your wp-config.php file, replacing the old set, and save the file. That’s it!

WP Total Defense Gives You Total Piece of Mind Security

WordPress security is a never ending moving target and nothing brings piece of mind like having a team to professionally manage your security needs. Learn more about WP Total Defense and how we can help you.

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.