This entry is part 4 of 15 in the series Security September Series

Protecting sites against brute force attacks is the fundamental step of WordPress security. In the previous article, you learned about ways to prevent hackers from brute forcing the login page. WordPress security keys and salts offer yet another solution to improve and harden your site security.

WordPress keys and salts were first introduced in version 2.6. These play a significant role in securing site cookies and stop hackers from accessing your site. Today, I am going to discuss Security Keys, and we will take a look at what they are, how they work, and how you can use them?

What Are Security Keys?

Security keys and hashing salts are authentication variables that enhance the security of your login credentials. They add an extra security layer to your username and password information stored in the user’s cookies. Currently, there are four security keys i.e. AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY. With each key, corresponding salts are also present i.e. AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT. You can add them in the wp-config.php file.

Here is a screenshot of this file from one of my demo websites. You can find them listed right after the database credentials.

wp security keys

If the WordPress security keys are not configured, they appear like this by default.

default wp security keys

There exists a WordPress.org secret-key service. You can generate secret keys through it and then copy-paste them to your wp-config.php file. The four salt keys are recommended but are not required. This means if they are not added, WordPress will generate itself. I recommend generating the salt keys and modifying each of them a little bit if you’d like.

Reviewing WordPress Keys and Salts

To understand the concept of security keys, it is important to know what purpose do they fulfill. Instead of PHP sessions, WordPress use cookies to track the identity of logged in users. Multiple cookies are created when you log into your dashboard account. This means that most of the state information is stored on the client-side. For better encryption, both the username and password are stored in two of these cookies  i.e.

  • wordpress_[hash]: It is used on the admin pages only.
  • wordpress_logged_in_[hash]: It is used throughout WordPress to know whether you are logged in or not.

The authentication details are hashed using a set of random values which are specified in the WordPress security keys. You can call them as additional encryption that is long, random and complicated.

An easy-to-guess password like “12345” or “admin” can be easily hacked, but an encrypted and random password like “rthvhh567896gb3bkkuug##ggb!!jjjl&77n” can take years to be cracked. So, using WordPress security keys makes it nearly impossible for anyone to reverse the hash and access your information.

Hardening WordPress Security With Keys

By now, you know the complexity and randomness of security keys. To make your site harder to access, just ensure that these keys are long and difficult to crack. There is no need to learn or create them manually. Simply use the online generator which I have mentioned above.

Updating security keys and salts regularly is an intuitive way of hardening your WordPress site. Your current keys are already difficult to break; so changing them adds another layer of complexity. Imagine a hacker guessing the keys with a great struggle and finds out the keys were again changed.

 

Updating security keys automatically perform a forced log out of every user who is accessing your website. Now, they will have to log in once again hence, proving their identity and updating the cookies. So, if you find any brute force attack symptoms, you can change your authentication salt keys for reauthentication of all user logins.

Changing Your WordPress Keys and Salts

In self-hosted WordPress blogs no pre-defined security keys exist. Instead, you have to generate and add them yourself. Follow these tiny miny steps to complete the process. It is a very straightforward and easy.

  • Create your own unique secret key via the online key generator.
  • Go to the root folder of your site and open up the wp-config.php file.
  • Look for the section of WordPress keys and salts. Usually, it is below the database credentials.
  • Copy the entire code block which you have created from the online generator.
  • Paste the new keys to overwrite the existing set lines of code.
  • Save the wp-config.php file.

The same process is achieved in a few clicks with third party plugins and iThemes Security tops the list. Last year, they introduced the functionality to update WordPress security keys and salts. All those who use the most recent version of the plugin will have access to this feature.

You must use iThemes Security for this very purpose because it updates your keys effortlessly.

After every 30 days, the plugin sends an automated reminder about updating your keys and salts. While doing it manually, you have to handle it yourself by keeping a record of it. Also, you can change the keys directly from the dashboard. So, you can easily skip the manual steps.

Updating your keys and salts with iThemes Security will also force all logged in users to log in again. I feel great peace with this plugin as their dashboard reminder never let me forget the update process.

Final Words

WordPress security keys act as a strong shield against brute forced and other guesswork hacking attacks. Adding the keys would remove your doubts about cookies being stolen. You should update them regularly to invalidate the attacker’s cookies who tries to hack your site.

Finally, let’s recap the entire article with these quick pointers.

  • There is no need to remember the keys values. Just configure them once and relax.
  • All users will need to log in again if you change the WordPress security keys.
  • Never publish the keys values online or share it with anyone.
  • WordPress security keys can be changed anytime.
  • The wp-config.php file is not modified while updating the latest WordPress version. Currently, you can define seven Unique Keys and Salts for authentication.

What are your views about security keys? Have you ever changed their values? Share your feedback with us!

Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.

Series Navigation<< 5 Best WordPress Security Plugins and SolutionsScanning Your WordPress Websites for Security Vulnerabilities >>

Author:

I am a senior Full Stack WordPress Developer, WP Core Contributor, Front-end Fanatic and an accidental writer. I love to write, talk, build, and share everything about WordPress. You can reach out to me at Twitter @MrAhmadAwais.

Siteground Hosting
Does WPLift load fast for you? That’s because we use Siteground for hosting, WPLift readers can click here to get up to 60% off hosting for your site.

Disclosure: This page may contain affiliate links for which we will receive compensation if a purchase is made.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Leave Yours +

7 Comments

  1. Should we change the keys and salts regularly? I never change it before. :-D

  2. FYI: The link to the online key generator only gives 4 keys. In wp-config.php it points to a slightly different url that gives the full 8 keys: https://api.wordpress.org/secret-key/1.1/salt/

  3. Thanks Ahmad for this great article and actually the series! There’s a plugin (new one) that change the keys and salts manually and automatically https://wordpress.org/plugins/salt-shaker/
    It’ll be great if you can give it a shot.

    Regards,
    Another Ahmed :)

  • Comments are Closed

Our Sponsors