WordPress Salts and Security Keys explained

WordPress salts and security keys explained

wordpress salts explained

Photo by Jeff Nesanelis on Flickr

I couldn’t find an article that clearly explains what WordPress salts are, how they work and how to change them. So I wrote this one.

I cringe every time I see this sentence:

A WordPress salt is a random string of data that hashes the WordPress security keys in the wp-config.php file.

What is that? What does it mean? What’s it trying to tell me?

I don’t know who started it and I don’t know why they think it’s helpful.  But it appears in many articles attempting to explain WordPress salts and security keys and how they’re used.

It actually explains nothing to anyone who has never studied cryptography, i.e. 99.999% of people?

I have never found a good article that explains what WordPress salts are and how they increase security. Never.

The reason is simple: hardly anyone knows anything about cryptography and how it works.  So most people don’t understand what WordPress security keys are and how they work. And that includes most of those writing those articles.

I enjoyed revisiting parts of my cryptography studies while researching this. Luckily, you don’t need to: everything you need to know about WordPress security keys and salts is right here.

TL;DR. If you don’t want to learn a bit of high-level computer cryptography, then jump to the section How to change them yourself.

A little history lesson

Computer systems used to store passwords in plain text. That’s fine in a world of two computers and no hackers.

But the world changes and security needs to change with it. Security elements were added over the years to protect passwords from being read from the system.

Salts, hashes and security keys are some of these security elements.

Some Definitions

Let’s get these out of the way in plain English.

Cookie

A cookie is a small file that gets stored on your computer (or mobile device) when you go to a website. It contains little bits of information like whether you have logged in to the site and, somehow, your password.

Salt

In cryptography terms, a salt is random data added to a password. In WP it’s just a long string of gobbledygook.

WordPress uses salts to help protect passwords in storage as we’ll see below.

Hash

Making a hash of something is usually not a good thing. Except in computer science.

The term “hash” is analagous to its non-technical meaning (to “chop” or “make a mess” out of something). (According to Donald Knuth).

Hash functions scramble their input data to get their output. The hashing function is a programmed routine that does the messing up. There are many hashing algorithms out there. WP used to use one called MD5 but now uses phphash.

The security problem

Your WordPress password needs to be stored somewhere. The main place is in your database, of course.

It’s also stored in cookies, which are plain text files on your computer.

So, how do you protect a password even when it’s in plain view in a text file?

WordPress salts solve that problem.

How these help to make WordPress secure

Most articles about WordPress salts mention passwords. But very few mention how important theses salts are to cookies.

WordPress keeps track of visitors using cookies. They are also used to verify the identity of logged-in users. (Most applications use PHP sessions to track users.)

If someone gets into your database or finds your cookies (e.g. on a public computer) then they could read your password.

But there’s no need for the password to be stored anywhere in a readable form. Here’s why:

How WordPress uses Salts for security

In very simple terms:

WordPress combines the salt with the password. The hash function mixes these up and gives a result.

Here’s an example from Wikipedia:

user1 and user2 have the same password, password123 (I know, terrible!)

how wordpress salts work

Note that with the same password but with a different salt, the output is completely different. So changing your salt value actually has the same net effect as changing your password!

The resulting messed up output is what gets stored in a database or cookie. The password is not stored directly.

Later when a user logs in, the password they enter is again mixed with the salt and a hashed version is produced. If that hashed version matches the hashed version in the database, then the user gets in.

So, here’s the nutshell version:

The details you use to log in are hashed (made cryptic) using the random variables (salts) specified in the WordPress security keys.

That’s a simple, clear explanation, I think.

This adds a layer of security as it’s almost impossible for anyone to guess your password. Even if they come across your cookies.

How to change them yourself

NOTE:Changing your WordPress salts and security keys will invalidate all existing cookies, i.e. all users will be instantly logged out.

When you change them, the hashed values in your database will also change. So, all cookies will have mismatched hashed values and so no users can be authenticated.  Therefore WordPress logs them out just as if their password changed.

So, just be mindful that some users might be online.

Manually changing WordPress salts and security keys

  1. Go to https://api.wordpress.org/secret-key/1.1/salt/ and you will see a list of replacement keys and salts, something like this:define(‘AUTH_KEY’, ‘uaZ`N?bSEU_c/P9O<B%.1W#UnD8hN9=LasU?L*3g$-CFx[Uy@:2#d;Hj[$_s/a0x’); define(‘SECURE_AUTH_KEY’, ‘l#@:shVMj6Kp-v59&]<YRK(U/NQd`$~r_BG=#p|h2t_y#aZ]e0PPCZh|W 4T$2VL’); define(‘LOGGED_IN_KEY’, ‘!T!:HA!GjIrcp$ovug{R*I3CC-|+N+3M=-^|*&DK#2>=bWFw~AuFX.-+=^TBW_:>’); define(‘NONCE_KEY’, ‘3maB-^OA+QV6|5-tE@qJQ=g@cV2SJkxg]hIEryDFm[_UuuG#nK8|W(f-det,f%7G’); define(‘AUTH_SALT’, ‘zbk7U/IirB5p]*cfZD,pu<m_/N,RQ(m2l!T*`iT>!>0$gBC4b{i 0YcVsa,H(WM[‘); define(‘SECURE_AUTH_SALT’, ‘lkdo||aa(~/P;WfO:*$/A/h[~-f3>r=:(QH32T6+-:Ew-Xo]|:SI6j{d3ws<iuCI’); define(‘LOGGED_IN_SALT’, ‘0R!!GP~7$=nYjxD3C*B|;Cp13+OC($9Y0$H6d6+~01e@#kFxUS>+]o|P-4XbD)+-‘); define(‘NONCE_SALT’, ‘|OQIP?u3fFy0NQ9_}6We4ey`p`l]}:f65I0VZ)i*&j*X|1-TjIhFu*n?sEWI}gD2’);What these do isn’t really important here but each key above has a different purposes e.g. the AUTH_KEY is used to determine if a user has access to the WordPress admin area, the LOGGED_IN_KEY is used to determine if a user is logged in etc.
  2. Copy these.
  3. Connect to your website using FTP. See this post to learn how
  4. Go to the root of your website and edit the file wpconfig.php
  5. Find the line * Authentication Unique Keys and Salts
  6. Select all these keys and replace them with the new ones you copied in step 2 above
  7. Save the file and upload it back to your website server

​​Done.

Plugins

To be honest I don’t see the point of cluttering my WordPress installation with yet another plugin that I’ll only use a few times a year. As I say, the more code in my site, the more ways someone can squeeze in.

But I understand not everyone feels comfortable editing an important file like wpconfig.php

Salt Shaker

I’ve never tried the Salt Shaker plugin but there are many tutorials online on how to use it. It seems to do its job well.

A benefit is that you can schedule the changes regularly so you can truly set it and forget it.

Ithemes Security 

As well as all the other great security features in the iThemes security plugin, you can use it to change your keys and salts. There’s no built-in scheduling here, though.

Conclusion

I hope that clears up at least some of the confusion and half-truths about WordPress security keys and salts. It’s not all that complicated.

It true that, from an end-user’s point of view, they aren’t the most critical part of a good security routine. WordPress does all the important work of using them so it’s all pretty transparent to us. But it’s good practice to change them once or twice a year as an extra level of security.

Did you know that at WPStrands we change these keys for all new sites added to our dashboard on all our plans? Take a look at them here.

Sources

https://api.wordpress.org/secret-key/1.1/salt/https://www.elegantthemes.com/blog/tips-tricks/what-are-wordpress-salt-keys-and-how-can-you-change-themhttps://en.wikipedia.org/wiki/Salt_(cryptography)https://en.wikipedia.org/wiki/Hash_functionhttps://codex.wordpress.org/Editing_wp-config.php#Security_Keyshttps://themegrill.com/blog/wordpress-salts-and-security-keys/https://en.wikipedia.org/wiki/HTTP_cookiehttps://en.wikipedia.org/wiki/MD5https://www.openwall.com/phpass/https://www.w3schools.com/php/php_sessions.asp