WordPress is one of the most high-profile and popular content management systems in the world. Consequently, WordPress is a frequent target of security exploits, such as brute force attacks, SQL injection, malware, cross-site scripting, and DDoS attacks. In fact, recently, a new malware strain called Clipsa is launching brute force attacks in WordPress sites, stealing cryptocurrency via clipboard hijacking.
WordPress is only as secure as the amount of effort you put in to improve your site’s security. As a website owner, it’s your responsibility to stay vigilant and implement a proactive security strategy to prevent malicious attacks. Use of weak passwords and usernames, failure to update WordPress core and plugins, and poor quality hosting are among the common security mistakes website owners make, giving easy access to malicious hackers.
WordPress is a highly secure CMS in its own way. However, keeping your WordPress-powered site safe from cybercriminals requires you to improve your security posture and improve your online credibility. Simple steps like updating the WordPress core, choosing a secure WordPress hosting provider, paying attention to domain name security, and using a secure password can help block malicious bots and attackers.
In this post, we will focus on WordPress salts and security keys and their role in ensuring that you don’t have to deal with the fallout of malware attacks.
What Are WordPress Security Keys and Salts?
When a user logs in to WordPress site, a number of cookies are created on the computer. These are used to verify the identity of the logged-in users. If a hacker gets into your database or finds your cookies, they may be able to read your password, thereby making your site vulnerable to attacks.
WordPress uses security keys and salts to give you a cryptic output that’s stored in the database or cookie, adding a layer of security to your website.
Two of these cookies are:
- WordPress_[hash] used only on the admin page or the WordPress dashboard.
- WordPress_logged_in_[hash] used throughout WordPress to determine whether or not you are logged in to WordPress.
The authentication details stored in these cookies by WordPress are hashed (assigned cryptic values) using the random patterns which are specified in the WordPress security keys.
WordPress Security Key is a password containing a random, long, and complicated set of variables that improve encryption, making it almost impossible to crack your password. The latest version of WordPress uses four security keys, each having a corresponding salt that can boost the security of your WordPress-powered website.
- AUTH_KEY can be used to make changes to the site. It helps you sign the authorizing cookie for the non-SSL.
- SECURE_AUTH_KEY is used to sign the authorizing cookie for SSL admin and is used to make changes to the website.
- LOGGED_IN_KEY is used to create a cookie for a logged-in user. It cannot be used to make changes to the site.
- NONCE_KEY is used to sign the nonce key. This key protects the nonces from being generated, thereby protecting your site from being attacked.
You will find these Authentication Keys and Salts in the wp-config.php file, located in the WordPress root folder.
WordPress salts are random strings of data that hash the security keys and add an extra layer of protection to the site and your credentials.
As you can see in this image, each security key has a corresponding salt, namely AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT.
Why Use WordPress Security Keys and Salts?
So, a randomly-generated encrypted password like “65a3ds2873ba27us36sd89s0fc” is extremely difficult to crack as compared to a non-encrypted one. Hence, website owners should use WordPress security keys to secure their site’s cookies and stop malicious hackers from accessing the site.
How to Change WordPRess Keys and Salts Manually
You can configure the secret keys and salts either manually or by using a WordPress Security Plugin. If you have a self-hosted WordPress site, you will have to add the security keys yourself.
Please note: we only recommend manually editing WordPress files if you are a developer or are comfortable working with code at an intermediate or higher level. If you’re a beginner, please jump ahead to the recommended plugins below.
First, use the random generator on WordPress to procure a unique Secret Key.
Next, log in to your control panel file manager or via FTP. From here locate the wp-config.php file to modify it.
Open the file and scroll down to the “Authentication Unique Keys and Salts” section. This is where you can add your secret keys that you generated earlier.
Once you save the file, you will be required to log in again.
Use a Plugin To Update Keys & Salts
Like most things in WordPress you do not have to do this manually. Several WordPress plugins can be used to automate the process on your behalf. They’re a quick and easy way to change your WordPress Keys & Salts. Here are two we’d recommend.
The present version of iThemes Security (Free v4.6+ or iThemes Security Pro v1.14+) comes with a time-saving security feature that easily updates WordPress security keys and salts. It offers an update reminder every month and averts the need to manually generate a new set of keys or edit your wp-config.php file.
To update the keys and salts, go to the ‘WordPress Salts’ section in the ‘Advanced Tab’, click the checkbox against ‘Change WordPress Salts’ and finally click the ‘Change WordPress Salts’ button.
The iThemes Security Pro offers additional features like two-factor authentication, scheduled malware scanning, and reCAPTCHA to detect malicious software and add an extra layer of security to your WordPress login pages.
Similarly, Salt Shaker offers impressive features and settings like manual and immediate WP security keys and salts changing to improve your WordPress security.
Moreover, after installing the Salt Shaker plugin, you can set the scheduled job for automated salt changing. All you need to do is check the box and choose the daily, weekly or monthly setting.
In both cases, the plugin is programmed to send automated reminders for updating the WordPress keys. As a result it also forces all logged-in users to go through the log in process again. All these features help protect a website from brute force attacks and other hacking attempts.
When it comes to securing your WordPress site, prevention is the way to go. The hard-hitting combination of WordPress security keys and salts makes it tough for hackers to crack website passwords. This is how WordPress offers improved security for user sessions and secures data.
To sum up, here are a few things to bear in mind when updating WordPress security keys and salts.
- After launching your WordPress site, change the security keys and salts.
- Always use the WordPress salt key generator to create security keys. Don’t do it yourself. Alternatively, you may or automate the process using a WordPress plugin.
- Updating the WordPress security keys and salts will invalidate all existing cookies, causing all users to be instantly logged out. So, when changing them, be mindful that some users might be online.
- If you see any signs of your site being attacked, update the WordPress security keys and encourage your users to change their password.
Do you have any questions about salts and security keys? Or tips you’d add? Let us know in the comments!