If you've ever viewed the core configuration file (
wp-config.php) for a WordPress site then you'll probably have noticed a section defining eight WordPress constants relating to security keys and salts:
wp-config.php is located in the root folder of your WordPress installation by default.
These constants contain security keys and salts which are used internally by WordPress to add an additional layer of authentication and to enhance security.
To make sure that authentication details are as secure as possible, unique keys and salts are used to increase the level of cookie encryption. These are recommended to be long strings (typically 64 characters long) of random alphanumeric and symbol characters.
LOGGED_IN_KEY security key constants were added in WordPress 2.6, which replaced a single all-in-one key first introduced in WordPress 2.5.
NONCE_KEY was added soon after, in WordPress 2.7. Corresponding salts
NONCE_SALT were added along with each security key, but it wasn't until WordPress 3.0 that they were added to
Before WordPress 3.0, you could optionally add your own salt constant definitions to
wp-config.php, otherwise they would be generated by WordPress and stored in the database.
While the four security key constants are required, if you remove the salt constants from the WordPress config file, leave them at their defaults, or any salt is found to be a duplicate of another, then WordPress retrieves the salt from the database instead.
For new WordPress sites, salts will be generated and stored in the database.
Initially Setting Your Security Keys and Salts
During installation, WordPress doesn't generate unique security keys/salts in
wp-config.php. Instead, the same default message is entered for each constant.
If you've just installed WordPress on a remote server then it's recommended that you change the default message for each security key/salt constant to a proper and unique value.
Sometimes, your host will do this for you if you install WordPress via a custom script. Even so, for peace of mind, you might want to update the security keys/salts anyway soon after installation is complete.
Why Update Keys and Salts?
Even after the security keys and salts have been initially set, it's a good idea to update them every so often. Anything you can do to make your site more secure is generally a good idea.
And even though it's highly unlikely that your passwords (together with security keys/salts) could be broken, updating them periodically makes sense as it safeguards against unforeseen circumstances such as your site backups being intercepted by unwanted third parties, etc.
How to Update Security Keys and Salts
So how do you actually update your security keys and salts? Let's look at a few different methods.
Manually Updating Keys and Salts
You could manually create new values for each constant, but this is rather tedious to do, especially if you have more than one WordPress site to update! Also, each key/salt might not be as secure as it could be.
Fortunately, the nice folks at WordPress have made this process very simple by providing an API to automatically generate the key/salt values for you. All you have to do is visit a secret key URL:
When the page loads, you'll be presented with unique strings for each constant, as shown below:
As you can see, each generated WordPress key/salt is a random sequence of 64 characters. Try refreshing the page a few times to satisfy yourself that the URL generates completely random keys/salts each time.
If you are developing your WordPress site locally then you can simply copy and paste the generated keys/salts directly into
wp-config.php to replace the existing entries.
Tip: I'd recommend always using the URL above, which utilizes the secure HTTP protocol.
This will effectively eliminate the chance of anyone intercepting the generated keys/salts when they are returned to you before being displayed in the browser.
If your site is hosted on a remote server then to update the keys/salts you'll need to either access and edit
wp-config.php via your server control panel, or via an FTP client that allows editing of remote files, such as FileZilla (free).
Using a Plugin to Update Keys and Salts
If the thought of manually editing remote server files sends your head into a spin then you might want to consider using a plugin instead. This is a very easy way to update your security keys/salts at the click of a button.
There are various plugins available to generate and update your security keys and salts. A relatively new plugin called Salt Shaker, released in October 2016, is a lightweight solution with the added bonus that you can schedule automatic updates of keys/salts to occur whenever you like. And best of all, it's free. Let's take a look at how to use it.
Download Salt Shaker from the WordPress repository or install it directly from your WordPress admin in the usual way. Go to Plugins > Add New and start typing Salt Shaker in the Search plugins... text box. When you see the plugin appear in the list, click Install Now.
After the plugin is installed, an Activate button will appear. Click this to finish setup.
Now that the plugin is active, we can test it. To access the plugin settings, go to Tools > Salt Shaker in the WordPress admin.
Here, we can update the security keys/salts immediately with a single mouse click. As soon as the Change Now button is clicked, a spinning icon appears to the right to indicate the plugin is updating
wp-config.php. As soon as the icon disappears, you know the security keys/salts have been updated.
Overall, the plugin works very well and can potentially save you a lot of time, especially if you have multiple WordPress websites. I'd perhaps like to see a couple more options for choosing the time period intervals, such as three months and six months, to increase the plugin's flexibility.
Also, a message clearly stating when the keys/salts have been updated would be useful—as would a further plugin option to automatically redirect to the login page after the keys/salts have been updated.
Alternatively, we can check the Change WP Keys and Salts box and choose when the
wp-config.php constants are updated. This is a really nice feature and basically allows you to forget about having to update security keys/salts. Just let the plugin do it all for you!
Therefore, before changing your security keys/salts, it's a good idea to have your login information to hand so you aren't accidentally locked out of your site.
Using an Automation Script to Update Keys and Salts
If you don't want to use a plugin and you have a lot of remote WordPress sites then you could consider using a script to directly update the security keys/salts.
The downside to this is that you need to be proficient in scripting. However, there are several ready-made solutions available, so you don't necessarily have to code your own.
One such script, called WP-Salts-Update-CLI by Ahmad Awais, updates security keys/salts on your local computer or remote server.
To install this script on your computer (macOS only), open a terminal window and enter the following:
sudo wget -qO wpsucli
&& sudo chmod +x ./wpsucli && sudo install ./wpsucli /usr/local/bin/wpsucli
This will make an executable script globally available via the
wpsucli command. You can run it on your local machine to actively search for all instances of WordPress config files and replace the security keys/salts with new values directly from the WordPress secret key API URL.
When running the script on a remote server, it's recommended to do so from the root folder, i.e.
cd /, and then run
wpsucli. For more details about the script, see the main information page.
In this tutorial, we've covered what WordPress security keys/salts are and why it's important to update them periodically. We've also looked at various ways you can update them, from manually copy/pasting (if you have direct access to
wp-config.php) to using a plugin to completely automate the process. If you're familiar with the command line then you can also use a custom script to update local/remote sites fairly easily.
The downside is that you still have to manually run scripts which can be easily forgotten, so rather than having to schedule this into your workflow, using a plugin to automate the process might be the best way to go.
Whatever method you choose, the important thing is to remember that you're adding another layer of security to your WordPress site(s), and anything you can do to achieve that with minimal effort can only be a good thing!
And if you're looking for other utilities to help you build out your growing set of tools for WordPress or for code to study and become more well-versed in WordPress, don't forget to see what we have available in Envato Market.
Subscribe below and we’ll send you a weekly email summary of all new Code tutorials. Never miss out on learning about the next big thing.Update me weekly
Envato Tuts+ tutorials are translated into other languages by our community members—you can be involved too!Translate this post