Knowledge Base
MilesWeb / WordPress FAQ

Everything You Need to Know About WordPress Salts

Approx. read time : 5 min

WordPress salts help to keep your WordPress website secure by enabling secure storage and authentication of passwords of users at your site.

WordPress Salts: Explained In Detail

WordPress salts including their companion security keys, are a cryptographic tool that helps secure the login of your WordPress site.

In particular, salts and security keys help in securing information in cookies used by WordPress for logging you in.
After you log in to your WordPress, there is an option to stay logged in and therefore, you don’t need to enter your username and password every time. For this, WordPress saves your login credentials in cookies instead of using PHP sessions.

This is very convenient for the users but it also leads to security issues if anyone tries to hijack your browser’s cookies.

Hence, WordPress salts and security keys help in securing your login information so that malicious objects can’t harm them. Consider them as “additional passwords” for your site which the malicious actor can’t guess.

Due to their importance, you shouldn’t share your WordPress salts and security keys with anyone.

The Location of WordPress Salts

By default, WordPress comprises of its own salts and security keys. You will find them in your site’s wp-config.php file. There will be total eight keys:

  • The first four entries are the security keys.
  • The last four entries are the WordPress salts.

Working of WordPress Salts

If your password for your WordPress site is “mypassword” (I know it isn’t a good one but it’s just for example).

While logging in, you enter your username and password. Then, WordPress will store that information in two browser cookies for you to stay logged in (you will also find this information stored in your site’s database).

But if WordPress would have stored your password simply as “mypassword” then it would have been easy for the malicious actors to crack. This is called as storing your password in plaintext and you should avoid it if you want to secure your website.

This issue is completely resolved by the use of security keys and salts by working together to cryptographically turn that plaintext password into a random jumble of characters that can’t be identified by someone without accessing your keys and salts.

With this security, even if you enter “mypassword” to log in, WordPress will convert your password into something as “mgb78a34%7832$4hgfhggfd78782^^429nsdf” for storage.

Until a person gets an access to your salts and security keys, it won’t be possible for them to translate that random jumble of characters into your actual password.

Is It Required to Change Your WordPress Salts and Security Keys?

New WordPress installations come with their own set of keys and salts by default, so your WordPress site is already secure and there isn’t any action required to be taken from your side.

But you should consider changing your salts and keys on a periodic basis for some of the reasons.

When you periodically change your keys and salts, you make it even tough for a malicious actor to get an access to your salts.

Moreover, when you change your salts all the logged-in users will get automatically logged out and the site will force them to log in again, which is another key benefit. Suppose you accidentally log in on a public computer and forget to log out, changing salts will force log out that account to ensure that no one can get an access to the same.

Changing Your WordPress Salts

There are two methods to change your WordPress Salts as below:

  • Editing Your wp-config.php File Manually
  • Using a Free Plugin

Steps to Change Your Salts by Editing Your wp-config.php File Manually

For this method, you’ll need to connect to your site’s server using FTP and edit your wp-config.php file.

After you get connected, go to the official salt generator. This page will randomly generate salts and security keys for you, just as mentioned above. Ensure that it has generated the four security keys plus four salts (eight total):

Now, delete the existing keys in your wp-config.php file and replace them by pasting the keys from the salt generator:

After this, it should appear similar as before — just the random character strings will be different.

Ensure that you save your changes and re-upload your wp-config.php file if needed.

Steps to Change Your Salts Using a Free Plugin

You can also change your site’s salts using a plugin.

The Salt Shaker plugin is a popular free option for this.

It is possible to set it up such that it automatically changes your salts on a schedule defined by you. Or, you it can be just used manually to change salts.

After installing and activating the plugin, go to Tools → Salt Shaker.

Now to manually change your salts right away, just click the Change Now button.

Or the Scheduled Change feature can also be used to automatically change your salts on one of the following schedules:

  • Daily
  • Weekly
  • Monthly
  • Quarterly (every three months)
  • Biannually (every six months)


WordPress salts and security keys help in securing your site’s login process and the cookies that WordPress uses to authenticate users.

By default your WordPress site includes its own set of salts and keys, so you don’t need to set anything up get the benefits from salts.

But, you can have security benefits by periodically changing your salts to make it even tough for malicious actors to access them.

For changing your salts, you can use the salt generator and manually edit your wp-config.php file or you can use a free plugin like Salt Shaker.

Also Read
How To Reset WordPress Password With phpMyAdmin?
Steps to Replace a Hacked WordPress Site

Pallavi is a Digital Marketing Executive at MilesWeb and has an experience of over 4 years in content development. She is interested in writing engaging content on business, technology, web hosting and other topics related to information technology.

Trusted By Thousands of Clients & Big Businesses

We highly appreciate the kind and stellar feedback we receive from our customers. Delivering the best is our goal! MilesWeb is rated Excellent out of 5 based on reviews. Read more reviews.

Based on reviews
2 hours ago
Perfect and Valuable Server + ...
I am using MilesWeb Servers, The main thing which I getting are continuous support over everything w...
Gunjan Makwana
4 hours ago
Milesweb is superb Hosting pro...
Milesweb is superb Hosting provider ever, their Support team is amazing!!!...
Abhishek Singh
15 hours ago
Great support in great timing...
We need urgent assistance on changes in a primary domain on our client's Cpanel accounts and reached...
Riyaju Deen
21 hours ago
Best Website Hosting platform ...
I was new on MilesWeb. And needed help on multiple areas from setting up to getting started with cre...
1 days ago
Very quick and helpful assista...
Very quick and helpful assistance. Support person listened properly and provided a nice solution....
1 days ago
the team is very supportive th...
the team is very supportive though at times effort needs to be made to make understand the problem s...
Suree Sharma
1 days ago
I am using miles web for 3plus...
I am using miles web for 3plus years, very quick and perfect support by the team, they helped me man...
Sri Raghav
2 days ago
The service is good...
The service is good. They are answering with patience and doing the needful as soon as possible....
2 days ago
Perfect and Valuable Server + ...
I am using MilesWeb Servers, The main thing which I getting are continuous support over everything w...
Gunjan Makwana
3 days ago
Very quick and helpful assista...
Very quick and helpful assistance. Support person listened properly and provided a nice solution....
4 days ago
positively helped me with find...
positively helped me with finding insecure content on my website causing SSL to not work properly on...
Thaviraj Junglee
4 days ago
Exceptional support, Truly Pra...
I had opted for the basic wordpress hosting plan as I intended to experiment with various plug-ins. ...
Aseem Chandna