Your WordPress site has a set of master keys to protect your login.
They are called SALT keys.
And they need to be periodically rotated for better security from Brute Force attacks and/or having your site hacked.
Discover what your SALT keys do, where they are located, and how to rotate them.
Why SALT Keys?
When you input your username and password into the login screen of your WordPress site, they have to be checked against something to ensure they are correct.
That something is your unique set of SALT keys.
A full set of SALT keys looks like this:
There should be 8 of them.
Encryption, Hashing, and SALTs
The SALT keys contain 3 important ingredients:
- Encryption – so Peeping Toms can’t easily read them
- Hashing – encoding that can’t be easily decoded
- SALT – a secret, extra string at the end of the hashed value
Hashed Passwords
Every User on your site has a password that gets hashed, or encoded.
The current algorithm used is called MD5.
It produces a 128 byte encryption level.
These hashed passwords are held in the user_options table of your database.
An MD5 hash looks like this:
482c811da5d5b4bc6d497ffa98491e38
It’s long. And that’s important.
The longer it is, the harder it is to decode.
But, it’s not impossible to decode.
In fact, if a hacker ever gets that info, there are plenty of free MD5 decoders online to unscramble it.
(If you decode the one above you’ll see password123)
Salting the Hash
That’s where SALT keys come in.
SALT keys add an extra string to that hash that requires a master key to decode.
Where are the Master Keys?
Your site’s master SALT keys are located in the wp-config.php file, which is created when you first install WordPress.
The wp-config.php file also contains the name, user, and password of your database.
It is critically important to protect your wp-config file from hackers!
If a hacker ever gets their hands on that file, they have everything they need to access your site anytime they want to and do anything they like with it.
TIP: If you ever move to another host, be sure to delete the database and all site files at the old host before you cancel the account.
It may take hosts a month or more to clear that server disk space while your site info is sitting there unattended.
Why Rotate Your SALT Keys?
Both encryption and hash encoding have evolved over the years.
The special strings added by the SALT keys have evolved and become harder to break too.
That’s because the algorithms used by hackers keep evolving.
If you installed your WordPress site years ago, your SALT keys are weak.
That file never changes with WordPress updates. So it is the same as the day it was created.
In other words, your older site is easier to hack no matter what other security measures you have taken.
You need to bring your SALT keys up to current encoding standards.
Fortunately, that’s pretty easy to do.
Where to Find Your SALT Keys
You can access your wp-config.php via File Manager in cPanel or via an FTP editor.
Warning: Goofing up your wp-config file can lock you out or do other harm to your site!
Refer to a qualified webmaster if you’re not familiar with this file.
In your wp-config file, just above your keys, you’ll find a link to a SALT key generator.
https://api.wordpress.org/secret-key/1.1/salt/
Ensure the word salt does not have an s on the end!
If your link has the word salts instead of salt, that’s a big clue to just how old your keys are.
And there are probably only 4 key codes. There should be 8 of them.
If your keys are shorter than the image above, that’s another clue as to how old your keys are, even if your link has the word salt in it.
How to Update/Rotate Your SALT Keys
- Make a copy of your original wp-config.php file
- Log out of your site.
- Open the SALT link in a new tab.
- Copy the new key set.
- Paste into your wp-config file (replacing the original SALT keys)
- Save the file.
- Log into your site to verify all is well.
Strong Passwords Matter Big
Updated SALT keys are a last line of defense in brute force attacks.
Your protection starts with a long, strong password.
Your password should:
- Be a minimum of 12 characters
- Contain at least one capital letter
- Contain at least one number
- Contain at least one special character
The more special characters, the better.
Hacker algorithms start with numbers, then lower case letter, then capital letters, then special characters.
The longer your password, and the more special characters you have, the longer and harder it is for a hacker algorithm to break your password.
For example:
password123 is easy to break.
pa$$w0rd123#! is much harder to break (but please don’t use this, hackers are hip to it)
Never use the same password on any 2 accounts!
If one of your accounts gets hacked, all of them are in danger.
Secure Your Site From the Root Up
There are PLENTY of security breach points lurking at the root level of your site.
Many of them reside below the core WordPress files.
You can’t see them from the admin side of WordPress.
And don’t think for a minute that those behemoth security plugins properly seal all those potential security holes either.
They don’t work as comprehensively as they lead you to believe.
Get Real Site Security
Site Owners – A full site audit finds all of the security holes, from the root of your hosting account through to your plugins and site settings.
Designers – learn how to set up sites securely as well as secure your existing client sites with Webmaster Training courses.
Learn something new from you all the time. I’ve never heard of SALT keys. Thanks for education!
There are lots of things now that most site owners have never needed to be concerned about before, like PHP levels and such too. But, things are changing, and we’ve got to keep up!!
This is exactly why we need people like you, MaAnna. I’ll need to go look at this.
The tip about removing the database and files before leaving a host is another great one.
Security, like the internet, is always evolving.
Thanks Sara Beth!!! I’ve several more posts like this coming up for things that site owners should know about for better security.