WordPress Hardening: Security Keys and Salts Setup

Introduction

frozen, landscape, cold, sunrise, file, wilderness, rock, december, mongolia, nature, mongolia eastern
Photo by Kanenori on Pixabay

If you’ve been looking into WordPress security, you’ve probably seen the advice about security keys and salts. This isn’t optional configuration. It’s a foundational hardening step that directly protects user sessions and authentication cookies. Without properly configured keys, your site is vulnerable to session hijacking and forged login attacks.

This article covers exactly what security keys and salts are, why they matter for WordPress hardening security keys, and how to set them up correctly. The audience here is site owners and developers who want a clear, practical understanding. No fluff. No unnecessary theory. Just what you need to know to get this done and understand why it works.

A common oversight in WordPress security is using default or weak keys. Many site owners install WordPress and never touch the wp-config.php file again. That is a mistake. This is a one-time task that takes five minutes and has a massive impact on your site’s security posture.

Developer editing wp-config.php file on a laptop with security keys highlighted

What Are WordPress Security Keys and Salts?

WordPress security keys and salts are random strings of characters used to encrypt authentication cookies and session data. They are stored in your wp-config.php file, and there are eight in total: four keys and four salts.

The keys are:

  • AUTH_KEY – Encrypts the authentication cookie
  • SECURE_AUTH_KEY – Encrypts the secure authentication cookie
  • LOGGED_IN_KEY – Encrypts the logged-in cookie
  • NONCE_KEY – Used for nonce security tokens

The salts are:

  • AUTH_SALT
  • SECURE_AUTH_SALT
  • LOGGED_IN_SALT
  • NONCE_SALT

Think of keys and salts as the secret ingredients that make your cookies unique. When a user logs into your site, WordPress uses these strings to hash and encrypt session data. If an attacker obtains a cookie, they cannot read it or reuse it elsewhere without the key.

WordPress has included these as standard since version 2.6. Before that, authentication was less sophisticated. The system has evolved, but the core principle remains the same: unique, random strings provide a strong cryptographic foundation for session security.

Why They Are Critical for WordPress Hardening

Without unique security keys, your site has a critical vulnerability. Here’s why.

If you install WordPress without generating new keys, your wp-config.php will contain empty or default values. That means an attacker who knows the default salt values for your version can forge cookies and hijack user sessions. This isn’t a theoretical risk. Automated bots regularly scan for sites with weak keys and attempt to exploit them.

Security keys are part of a defense-in-depth strategy. They don’t replace other measures like two-factor authentication or login limiting, but they are the baseline. If you lock your front door but leave a window open, the lock isn’t very useful. Keys and salts close that window.

Compared to measures like Web Application Firewalls (WAF) or IP blocking, keys are simple and inexpensive. They require no ongoing maintenance. Once set, they work silently in the background. If you’re serious about hardening your site, this is step one.

It’s also worth noting that keys don’t protect against all attack vectors. They won’t stop SQL injection or cross-site scripting. But they prevent one of the most common and damaging attack types: session hijacking. For the effort involved, the return on security is enormous.

How Security Keys and Salts Work (Under the Hood)

You don’t need a degree in cryptography to understand this, but a basic grasp helps you appreciate why it matters.

WordPress uses HMAC (Hash-based Message Authentication Code) hashing to sign cookies. The key is the secret component in this hash. The salt adds an extra layer of randomness, ensuring that even if two users have the same username, their session hashes will be different.

When a user logs in, WordPress generates a hash that combines the username, password, and the key/salt values. This hash is stored in a cookie on the user’s browser. On every subsequent request, WordPress verifies the cookie by recomputing the hash using the same key and salt. If the values match, the session is valid.

The practical implication is straightforward: changing your security keys invalidates all active sessions. Every user—including you—will be logged out and forced to log back in. This isn’t a bug. It’s a feature. It’s why you should rotate keys after a suspected breach or as a regular security reset. It cuts off any attacker who might have stolen a valid cookie.

security, protection, antivirus, software, cms, wordpress, content management system, editorial staff, contents, backup,
Photo by pixelcreatures on Pixabay

Keep in mind you shouldn’t change keys during peak traffic unless you’re prepared for a wave of re-login requests. But for most sites, the disruption is minimal.

WordPress login page with a lock icon next to the password field, representing session security

Step-by-Step: How to Set Up Security Keys in WordPress

Here are three reliable methods to generate new keys. Choose the one that fits your comfort level.

Method 1: Using the Official WordPress API

This is the easiest and most recommended method. Go to the following URL in your browser:

https://api.wordpress.org/secret-key/1.1/salt/

This page displays a complete block of code containing all eight keys and salts. Copy that entire block. Then open your wp-config.php file and replace the existing key lines with the new ones. Save the file. Done.

Method 2: Using a Plugin

If you’re not comfortable editing files directly, some security plugins can manage keys for you. For example, iThemes Security includes a feature to change salts automatically, as does Wordfence. These plugins are worth considering if you also want other hardening features like login limiting and file integrity monitoring. Just keep in mind that adding a plugin adds code to your site that you need to maintain.

Method 3: Manual Generation via Command Line

If you have command-line access to your server, you can generate keys using OpenSSL. Run this command:

openssl rand -hex 64

This outputs a 64-character random hexadecimal string. Run it eight times to generate each key. Then manually add them to your wp-config.php file in the correct format.

Important cautions:

  • Always make a backup of your wp-config.php file before editing. If something breaks, you can restore quickly. A backup plugin like UpdraftPlus can help automate this.
  • Ensure file permissions on wp-config.php are set to 640 or 600. This prevents other users on the server from reading your keys.
  • Use a code editor like VS Code or Notepad++ to edit the file. Don’t use Word or other rich text editors.

When to Regenerate or Update Your Security Keys

How often should you regenerate keys? The short answer is: not often, but at the right times.

Here are the situations where regeneration is recommended:

  • After a suspected breach: If you find evidence of unauthorized access, change keys immediately. This forces all sessions to expire and buys you time to investigate.
  • After moving your site to a new server: When you migrate to a different host, regenerate keys. It’s a good security hygiene practice.
  • As a proactive quarterly practice: Some security experts recommend rotating keys every three months. This is low cost (users re-login) and good practice for high-risk sites.

Frequent regeneration isn’t necessary for most sites. For a personal blog with low traffic, once a year is fine. For ecommerce or high-traffic membership sites, quarterly is better.

Some plugins offer automated rotation. For example, iThemes Security Pro can schedule key changes. If you prefer a hands-off approach, this is a reasonable solution. Just ensure the plugin is actively maintained and compatible with your WordPress version.

Common Mistakes When Setting Up Security Keys

Even experienced site owners make mistakes. Here are the most common ones and how to avoid them.

Using Weak or Predictable Strings

Don’t type your own random characters. Humans aren’t good at randomness. Use the WordPress API or a command-line tool. Predictable keys are almost as bad as no keys.

Copying from Outdated Forums

Some older tutorials share example key strings. Never use these. They’re already public, and anyone can find them. Always generate fresh, unique keys for your site.

Incorrect Line Wrapping in wp-config.php

Each key definition must be on its own line. If you accidentally merge two lines or introduce a line break in the middle of a string, PHP will throw a parse error and your site will break. Always format exactly as shown in the official API output.

Forgetting to Back Up the File

This one hurts. You change keys, something goes wrong, and your site breaks. Without a backup, you have to manually revert or regenerate keys and hope for the best. Always back up before editing. Use a backup plugin like VaultPress to automate this.

padlock, lock, chain, key, security, protection, safety, access, locked, link, crime, steel, privacy, secure, criminal,
Photo by stevepb on Pixabay

Comparing Manual vs. Plugin-Based Key Management

Both approaches work. The choice depends on your technical comfort and site complexity.

Manual:

  • Full control over the process
  • No third-party dependency
  • Requires some technical comfort
  • Ideal for small sites and developers

Plugin-based:

  • Easier for non-technical users
  • Offers automatic rotation
  • Adds a plugin dependency
  • Potential compatibility issues with other plugins

For most single-site installs, manual is the better option. It’s one file edit, and you only do it occasionally. There’s no reason to add a plugin just for this.

For multisite networks or agencies managing dozens of client sites, plugins make more sense. iThemes Security and Sucuri Security both include key management features. They’re part of larger security suites, which can be a good investment if you need other hardening features like file scanning and brute force protection.

The trade-off is clear: convenience versus simplicity. Choose what matches your workflow.

WordPress admin dashboard of a security plugin showing key management and salt change options

Security Keys as Part of a Broader Hardening Strategy

Security keys alone aren’t enough. They’re a critical baseline, but they must be combined with other measures for real protection.

Here’s a layered hardening checklist:

  • Use HTTPS everywhere – Encryption in transit prevents cookie theft on open networks.
  • Keep everything updated – Core, plugins, and themes. Outdated software is the most common entry point.
  • Disable file editing in wp-config.php – Add define('DISALLOW_FILE_EDIT', true); to prevent attackers from modifying code through the admin panel.
  • Limit login attempts – Use a plugin to lock out IP addresses after failed attempts.
  • Use a Web Application Firewall – Services like Cloudflare or Sucuri block malicious traffic before it reaches your server.

Think of security keys as the lock on your front door. You still need alarms, cameras, and good neighbors. But without the lock, nothing else matters much.

What to Do If You Lose or Forget Your Keys

This situation is more common than you might think. You change keys, the site breaks, and you realize you didn’t save a backup. Don’t panic.

First, try restoring the old wp-config.php from your hosting control panel backup. Most hosts keep daily backups. If that isn’t an option, you can regenerate new keys using the methods above. The entire site won’t break permanently. The immediate effect is that all users—including you—will be logged out. That’s expected. Once you log back in with your admin credentials, the site will function normally.

To avoid this scenario in the future, keep a local copy of your current keys in a secure password manager like 1Password. That way, you always have a fallback.

Tools and Resources for Managing Security Keys

Here’s a quick list of practical tools for key management:

  • WordPress secret key generator URLhttps://api.wordpress.org/secret-key/1.1/salt/
  • Command lineopenssl rand -hex 64
  • Plugins – Key and Salt Generator, iThemes Security, Sucuri
  • Password managers – LastPass, 1Password, Bitwarden

For code editing, avoid the built-in WordPress file editor. Use a proper tool like VS Code or Notepad++. Alternatively, you can use a plugin-based code editor for safety. The right tool makes the job faster and less error-prone.

Final Thoughts: Making Security Keys a Habit

Setting up security keys and salts is one of the easiest wins in WordPress security. It costs nothing, takes five minutes, and dramatically closes a common attack vector. If you haven’t updated your keys since initial installation, do it now.

The habit is simple: check your wp-config.php every quarter. If you’re managing multiple sites, consider a managed WordPress hosting provider like Kinsta or Flywheel that automates key management. If you prefer to keep it manual, set a calendar reminder.

This isn’t glamorous security work. It’s boring. That’s exactly why it gets skipped. But doing the boring things consistently is what keeps your site safe. Start with keys. Then layer on the rest. Your site will be better for it.