What are WordPress Salts, and how to Change them

If you have a WordPress website, ensuring its security should be your top priority. One vital aspect of WordPress security that often goes unnoticed is the use of salts. In this article, we will go through what WordPress salts are, explain their significance, and guide you through the process of changing them to strengthen your website’s defences against potential threats.

The Benefits of Using WordPress Salts:

  • Improved Password Security: By using salts, passwords become much harder to crack, making your website more secure against unauthorized access.
  • Mitigating Brute-Force Attacks: Salts significantly increase the complexity of password hashes, discouraging attackers from attempting brute-force attacks on your website.
  • Protection against Data Breaches: In case of a data breach, hashed passwords with salts are challenging to reverse, keeping your users’ sensitive information safe.
  • Enhancing User Trust: By prioritizing website security, you show your customers that their data and privacy matter to you.

What are WordPress Salts?

WordPress salts are random pieces of data used to enhance the security of passwords stored in the website’s database. They are cryptographic keys that add an extra layer of protection by making it much harder for attackers to crack passwords through brute-force attacks or other means.

How are WordPress Salts Used?

When a user creates an account or changes their password on your WordPress site, the password is combined with the salts and then hashed. Hashing is a one-way process that converts the password into a fixed-length string of characters. This hashed value, along with the salts are stored in the database instead of the actual password. As a result, even if an attacker gains unauthorized access to the database, they won’t be able to reverse-engineer the original passwords.

How to Change Your WordPress Salts?

Changing WordPress salts is a straightforward process that involves accessing your site’s files or using the command line tool WP-CLI. Shuffling salts is not something that needs to be done frequently.  It’s typically performed after a security breach, such as when your site has been hacked or compromised in any other way. Here’s a step-by-step guide to help you through it:

Using WP CLI

Log on to your site using SSH. Once you’re logged in, issue the following command:

cd ~/public && wp config shuffle-salts

After that, you can close the SSH session again, as we’re done!

Updating the Salts Manually

Log in to your site using SSH, or SFTP to access your site’s files. When using SFTP, locate the wp-config.php file in the/public directory of your WordPress installation. Make sure to create a backup of this file before proceeding.

Open the wp-config.php file using a text editor. Look for the following lines of code:

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
  1. Visit the WordPress Salts Generator to generate new, random salts.
  2. Replace the existing phrases inside the single quotes with the new salts generated by the WordPress Salts Generator.
  3. Save the changes, or save and upload the modified wp-config.php file back to your site if using SFTP.


WordPress salts play a crucial role in safeguarding your website and user data from potential threats. By changing the salts regularly, you strengthen your website’s security and minimize the risk of unauthorized access and data breaches. Don’t overlook this simple yet effective security measure.