What Are WordPress Salts and Why It Is Important?

Sayan Dey

Sayan Dey / September 04, 2023

3 min readNaN views

WordPress salts are a set of random strings that are used to enhance the security of your WordPress site. They are stored in your wp-config.php file and are used to encrypt the passwords and cookies of your users. By using salts, you can prevent hackers from cracking your users' passwords or hijacking their sessions.

Salts work by adding an extra layer of complexity to the hashing algorithm that WordPress uses to store passwords and cookies. Hashing is a process that converts a plain text password into a fixed-length string of characters that is hard to reverse. For example, the password "password" might be hashed into "5f4dcc3b5aa765d61d8327deb882cf99".

However, hashing alone is not enough to protect your passwords and cookies from hackers. If a hacker gets access to your database, they can use a technique called brute force attack to try different combinations of words or characters until they find the matching hash. Alternatively, they can use a technique called rainbow table attack to compare the hashes with a pre-computed list of hashes and passwords.

This is where salts come in handy. Salts are random strings that are added to the passwords and cookies before hashing them. This makes the hashes more unique and unpredictable, and thus harder to crack or guess. For example, if you add the salt "sdfg34" to the password "password", the resulting hash would be "a8c2f0a1c0e9f6d9b8a7c9e0b1f8c7d6". Even if a hacker knows that you are using the same hashing algorithm, they would not be able to crack your password without knowing your salt.

WordPress uses two types of salts: keys and salts. Keys are used to encrypt the cookies that WordPress sets on your users' browsers. Salts are used to further modify the keys. WordPress generates eight pairs of keys and salts for different purposes, such as authentication, secure authentication, logged in, nonce, etc. You can see them in your wp-config.php file like this:

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

How to Generate WordPress Salts?

You can generate these keys and salts using the WordPress secret key generator: https://api.wordpress.org/secret-key/1.1/salt/. You should replace the default values with the ones generated by this tool. This will make your site more.

Subscribe to the newsletter

Get emails from me about web development, tech, and early access to new articles.

NaN subscribers – View all GitHub issues