Nexcess Logo

WordPress security features — changing security keys and salts

Knowledge Base Home

Notice anything different?

We've enhanced the appearance of our portal and we're working on updating screenshots. Things might look different, but the functionality remains the same.
July 11, 2023

Powering almost half of the Internet, WordPress remains a website-building platform of choice for many website owners due to high performance and top-notch security.

With powerful built-in security features, WordPress ensures a high level of protection for critical areas of your website, including the admin dashboard.

Essential WordPress security features — about managing and updating security keys and salts

One of the essential WordPress security features is the implementation of authentication keys and salts. Leveraging robust hashing algorithms, WordPress uses a set of secure keys to convert your admin password into a randomized string of characters before initializing a new session. This feature effectively safeguards the password from unauthorized access by adding more security aspects to your WordPress Admin Panel.

In this Nexcess guide to key WordPress security features, we explain how WordPress handles user sessions and how authentication keys and salts help negate hackers’ attempts to steal your admin credentials. In addition, you will learn how to update these WordPress security settings in case of a website compromise.

How WordPress relies on authentication and login cookies

WordPress takes advantage of cookie-based authentication, meaning that the state of every login session is maintained through the use of cookies. Browser cookies are made up of data points your web browser stores for authentication and verification purposes. Upon login to the admin dashboard, if the user provides the correct authentication details, WordPress creates two login cookies — a login cookie and an authentication cookie.

To generate cookies, WordPress creates a new user session that stores important login information, such as the Internet Protocol address (IP address) the website visitor logged in from, login time, and session expiration time. These details are stored in the wp_usermeta table of the WordPress database throughout the duration of each user session.

While session information is saved on the server, the generated authentication cookie is stored in the user's browser. The user login details saved in each WordPress authentication cookie include its identification number and expiration time, as well as the username of the logged-in WordPress user and a resulting hash created from the user's password.

WordPress never stores user credentials in plain text. Both in wp_users table and in authentication cookies, WordPress user passwords are saved in the form of a hash. Implementing hashing, WordPress maintains a high level of security for user credentials throughout the entire session lifecycle, and WordPress salts and secure keys play a central role in it.

Understanding the vital WordPress security features facilitated by security keys and salts

The vital role authentication keys and salts play in ensuring the security of user credentials makes them key WordPress security features. Increasing the complexity of the resulting hash that makes up the authentication cookie, WordPress salts ensure that hackers can not extract the user's password from it, even in case of session hijacking.

Moreover, the effectiveness of the hashing mechanism employed by WordPress remains unaffected by the use of weak passwords. Nonetheless, enforcing strong passwords in WordPress is extremely important as hackers can use brute force attacks to obtain user credentials without stealing session cookies.

During the installation of WordPress, the platform generates a set of salts and secure keys, which are then stored in the wp-config.php file. The four salt values, along with the corresponding secure keys, serve various purposes in the authentication process for WordPress users and are essential for enhancing the security of your WordPress Admin Dashboard.

Each pair of WordPress secure keys is composed of long, randomized strings of characters. The two values are concatenated together, forming the final salt value, or key, used by WordPress to generate the resulting hash that will form an authentication cookie. The complexity of the resulting key is what makes the generated cookie value acceptable for storing in the user's browser, eliminating all security concerns.

How not updating WordPress security keys and salts puts your website in jeopardy

Failure to update WordPress security keys and salts leaves your website vulnerable to compromise. WordPress security keys and salts form a key security mechanism that ensures the confidentiality of user credentials and makes the authentication cookie resistant to forgery attempts. This vulnerability would exist t because the hash generated from the user’s password is the only unpredictable part of the cookie.

As attackers may attempt to gain unauthorized access to your WordPress backend by crafting a valid authentication cookie, the likelihood of a successful compromise increases considerably if the values of the WordPress salts and secure keys are known.

Therefore, it is critical to update WordPress security keys and salts in the event of a website compromise. Failure to do so makes these essential WordPress security features ineffective. It leaves the admin dashboard vulnerable to unauthorized access, even if you have thoroughly cleaned your WordPress website of all malware and changed all passwords.

Nexcess WordPress security features — how to change security keys and salts in 2 ways

The process of updating WordPress salts and security keys is easy and straightforward. As the secure keys are stored in your website's main configuration file, you can manually update the values in wp-config.php or use a plugin to do that for you. The step-by-step guides below will help you regenerate security keys and salts for your WordPress site with Nexcess.

Method #1: Changing WordPress salts and secure keys manually

WordPress offers its official Salt Generator that provides you with a list of randomized strings to use as the values of secure keys for your WordPress website. You can copy the output and insert it right into the wp-config.php file.

Nexcess provides three main ways of editing your website — using FTPS (also known as secure FTPs), SFTP, or SSH access. Via FTPS or SFTP, you can download your wp-config.php and edit it locally on your computer before uploading it back to the server. Choosing SSH for file editing, make sure you are familiar with command line text editors such as Vim.

Open the Nexcess Client Portal and navigate to your WordPress cloud hosting plan. Choose your WordPress website from the list and click on its domain name to navigate to the website's Credentials page.

Locate your FTPS credentials or save your credentials for SFTP/SSH. Connect to your website via the chosen protocol. You can use FileZilla FTPS client or connect to your website files using FileZilla SFTP or any other FTP client of your choice:

Locate your FTPS credentials or save your credentials for SFTP/SSH. Connect to your website via the chosen protocol. You can use FileZilla FTPS client or connect to your website files using FileZilla SFTP or any other FTP client of your choice.

Open your WordPress website's wp-config.php file and navigate to the Authentication Unique Keys and Salts section. Enter the secure keys and salts obtained from WordPress Salt Generator and save the file. Make sure to save a backup of the file before editing and check your website after the changes have been saved to ensure it works correctly. Syntax errors in WordPress configuration are some of the most common reasons for seeing issues related to your WordPress website.

 * Authentication unique keys and salts.
 * Change these to different unique phrases! You can generate these using
 * the {@link secret-key service}.
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 * @since 2.6.0
define( 'AUTH_KEY',          'e]N./+l2(1d%XfqnLCm25}MjuvE|cH.Jq;lTC-zd6.*0o+x2`$z{9ozU2~&@wP;q' );
define( 'SECURE_AUTH_KEY',   'Z $>C(G=Vo|h4wX# FQSd$ciR/c5pr|;/4@hWZktQ7VR#,@aLXj_8+47[T@^..p ' );
define( 'LOGGED_IN_KEY',     '5w%7KXB p(J2/D&X.Z29h1%}wK4Nzdc:rHAgp ][/uc/#kuk~7*Jkp1BXHwCd*`t' );
define( 'NONCE_KEY',         '88?,owvAS+R|am82Ti-:{8/n]84F6ljeK1Wi#zUH/_XTaafT3$NKhkCrb<Y-Xlt}' );
define( 'AUTH_SALT',         'w|E21dqGgW~-^iMh?zXK9HVR|juuNSBaW&Kz`7DG~O4? q+itKeF^zZK9Lvg*t,%' );
define( 'SECURE_AUTH_SALT',  'VRb8) X1+f.ppg.uiV#1BVG4IsP(=~E#tnL,,p5ZhRe>~sX*-y?FXJveqpJ ,kVo' );
define( 'LOGGED_IN_SALT',    '6$1N$[dr#IUH!u7Q#aO+*2#++k|PcDdKqXZKBQXYBRZ_YZjNDNeXlMqK=:(E)IC<' );
define( 'NONCE_SALT',        '6!KHn8l</(5hcAZ{!=j] F6koqw,^LMc#=XNZEUzf8^a[rjrOi&E64~:3>-cHxn[' );
define( 'WP_CACHE_KEY_SALT', '2EAT!cX/i^+P)Bl1?h ``#,.-*A0w)hSGkACKqon*m+kG;fC(UDf(+a&D0.Vitx{' );

Method #2: Using Solid Security Pro to update WordPress security keys

Nexcess WordPress hosting plans include Solid Security Pro — the industry-leading security solution for WordPress — free of charge as long as you remain a Nexcess customer. Solid Security Pro offers a set of advanced WordPress security features that allow you to safeguard the admin dashboard and other critical areas of your WordPress website.

You can install Solid Security Pro from the Nexcess Installer plugin available from the WordPress Admin Panel. The Nexcess Installer plugin enables you to leverage several premium WordPress plugins to boost the security and performance of your WordPress website and simplify its administration.

Solid Security Pro allows you to regenerate WordPress security keys and salts in a few clicks. In addition to this functionality, robust protection against brute force attacks and session hijacking will further eliminate any possibility of unauthorized access to your WordPress Dashboard.

Navigate to the Solid Security Pro Dashboard and choose Settings from the plugin's menu. Open the Tools interface and locate the Change WordPress Salts option. Click on it and use the Run button for the security plugin to regenerate your WordPress salts and security keys for you. Please note that it will effectively end all user sessions and log you out of the WordPress Dashboard.

Navigate to the Solid Security Pro Dashboard and choose Settings from the plugin's menu. Open the Tools interface and locate the Change WordPress Salts option. Click on it and use the Run button for the security plugin to regenerate your WordPress salts and security keys for you. Please note that it will effectively end all user sessions and log you out of the WordPress Dashboard.

Keeping your WordPress site secure with Nexcess

Relying on cookie-based authentication, WordPress employs strong hashing mechanisms to protect the admin credentials stored in browser cookies during each login session. As one of the key WordPress security features, secure keys and salts play a critical role in the security of your WordPress website.

Get up to $200 towards insanely fast hosting when you switch providers

You’re ready for an upgrade. Nexcess helps you find the best monthly plan and credits you up to $200. That’s months of superior hosting — free!

If your website got compromised and hackers were able to save your WordPress salts, they may still be able to gain access to the WordPress Dashboard, even if all malware has been removed and all passwords have been updated. Therefore, changing the WordPress salts is crucial to ensure complete protection against any residual security threats.

For over two decades, Nexcess has been committed to building and maintaining a secure and reliable hosting environment for your online presence powered by WordPress. With the best solutions for WordPress pre-configured for you, you can leverage robust security, impeccable performance, and enterprise-level scalability and uptime. Tailored to the needs of your business, Nexcess-managed WordPress and WooCommerce hosting plans will help it grow and prosper. And with a focus of site safety, you can rest assured that the WordPress security features we have been built in our solutions will shield your site from major and minor internet threats alike.

Kiki Sheldon
Kiki Sheldon

Kiki works as a Security Specialist for Liquid Web. Before joining the Abuse & Security Operations Department, she worked on the Liquid Web Managed Hosting Support Team, where she gained extensive knowledge of Linux System Administration and popular Content Management Systems (CMSs).

Kiki’s passion for writing allows her to share her professional expertise and help others. She keeps up with technology and always looks to improve her technical skills. In her free time, she enjoys reading, especially classic books and detective stories.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.