Learn what WordPress security keys and salts are, when to rotate them, and safe step?by?step methods to update them without breaking logins for real users.
Why WordPress Security Keys and Salts Matter
WordPress uses a set of secret keys and salts to secure authentication cookies and nonces. These values live in your wp-config.php file and are combined with user data to generate hashes that protect login sessions and other sensitive actions.Source
If an attacker ever gains access to your current keys and salts, they may be able to hijack active sessions or make it easier to brute-force cookies. Rotating (changing) these values immediately invalidates all existing sessions, forcing everyone to log in again with their username and password.
When You Should Rotate Keys and Salts
You don’t need to rotate keys every week, but you should update them when:
- You suspect a compromise of your hosting account, database, or admin user.
- You removed a malicious plugin or theme and want to invalidate any stolen sessions.
- You shared temporary admin access with a third party and no longer need to.
- You accidentally committed
wp-config.phpto a public repository. - You are doing a scheduled security maintenance (for example, annually).
Because rotating keys logs everyone out, plan to do it during a low-traffic window and communicate the change to your team in advance.
How WordPress Keys and Salts Work (Plain English)
In a standard install, you’ll see eight constants in wp-config.php:
AUTH_KEY,SECURE_AUTH_KEY,LOGGED_IN_KEY,NONCE_KEYAUTH_SALT,SECURE_AUTH_SALT,LOGGED_IN_SALT,NONCE_SALT
These values should be long, random strings that are never reused elsewhere. WordPress combines them with user-specific data to generate hashes for cookies and nonces, making precomputed attacks and cookie theft much harder.Source
Preparation: Backups and Access Requirements
Before changing keys and salts, make sure you have:
- Full file backup (at least
wp-config.phpand.htaccess). - Database backup from your hosting panel or backup plugin.
- File access via SFTP/FTP or your hosting file manager.
- Admin login to WordPress (in case you need to verify behavior after the change).
Also confirm that you know your own admin username and password; you’ll be logged out when the rotation is complete.
Method 1 – Manually Rotate Keys and Salts in wp-config.php
Step 1 – Generate New Keys and Salts
WordPress provides an official API endpoint that generates cryptographically strong random keys and salts. Open the official generator in your browser and copy the entire block of define() lines it produces.Source
Step 2 – Open wp-config.php Safely
- Connect to your site via SFTP/FTP or your hosting file manager.
- Locate your WordPress root folder (often
public_htmlorhtdocs). - Download
wp-config.phpto your computer as a backup copy. - Open the live
wp-config.phpin a plain-text editor (no word processors).
Step 3 – Replace the Existing Key and Salt Block
- Find the section that looks similar to:
define('AUTH_KEY', '...'); define('SECURE_AUTH_KEY', '...'); ... define('NONCE_SALT', '...'); - Select and delete the entire existing block of eight
define()lines. - Paste in the new block you copied from the official generator.
- Save the file.
Step 4 – Upload and Test
- If you edited the file locally, upload the updated
wp-config.phpback to the server, overwriting the old one. - Visit your site’s front end in a private/incognito window.
- Log in again at
/wp-adminusing your normal credentials.
What You Should See
- Your site loads normally on the front end.
- Previously logged-in users (including you) are logged out and must sign in again.
- After logging in, the WordPress dashboard behaves as usual.
If you see a white screen or PHP error, immediately restore the backup copy of wp-config.php and carefully check for missing semicolons, stray characters, or accidental deletion of other configuration lines.
Method 2 – Rotate Keys and Salts with WP-CLI
If you have command-line access and WP-CLI installed, you can rotate keys and salts with a single command. This is safer than manual editing because WP-CLI updates only the relevant lines in wp-config.php and preserves formatting.Source
Step 1 – Confirm WP-CLI Access
- Connect to your server via SSH.
- Navigate to your WordPress root directory.
- Run
wp --infoto confirm WP-CLI is available.
Step 2 – Backup and Shuffle Salts
- Create a quick backup of
wp-config.php(for example,cp wp-config.php wp-config.php.bak). - Run:
wp config shuffle-salts - WP-CLI will fetch new keys from the official API and update the constants in
wp-config.php.
Step 3 – Verify the Site
- Open your site in a browser and confirm pages load correctly.
- Log in again to the dashboard; you should be prompted to re-authenticate.
If something goes wrong, restore the backup file with cp wp-config.php.bak wp-config.php and test again.
Optional – Using a Dedicated Salt Rotation Plugin
Some site owners prefer a plugin-based interface to rotate salts on a schedule. For example, the Salt Shaker plugin lets you manually or automatically change keys from the WordPress admin area.Source
If you choose this route:
- Install and activate the plugin from Dashboard ? Plugins ? Add New.
- Follow the plugin’s settings page to configure manual or scheduled rotations.
- Test after enabling any schedule to ensure it doesn’t conflict with caching or custom login flows.
Always keep security plugins updated and remove any you’re not actively using to reduce your attack surface.
Minimizing User Disruption
Rotating keys and salts is inherently disruptive because it invalidates all sessions. To keep the impact manageable:
- Schedule the change during off-peak hours for your audience.
- Notify team members and frequent contributors that they’ll be logged out.
- Remind users to use strong, unique passwords and a password manager so re-login is quick and secure.Source
- If you run WooCommerce or membership sites, avoid rotating keys in the middle of major promotions or live events.
Security Best Practices Around Keys and Salts
- Never store keys in plaintext in shared documents or tickets. Treat them like passwords and keep them out of email and chat logs whenever possible.Source
- Keep
wp-config.phpoutside the web root if your host supports it, so it can’t be downloaded directly. - Restrict file permissions so only the web server user and administrators can read or modify
wp-config.php. - Combine key rotation with other hardening steps such as strong passwords, multi-factor authentication, and timely updates for WordPress core, themes, and plugins.Source
Quick Maintenance Checklist
When you plan a security maintenance window that includes key and salt rotation, run through this short checklist:
- Confirm fresh backups of files and database.
- Notify your team about the upcoming forced logout.
- Rotate keys and salts using either manual editing or WP-CLI.
- Verify front-end pages and the WordPress dashboard load correctly.
- Spot-check critical flows (logins, forms, checkout, membership areas).
- Document the date and method used so you can repeat the process consistently in the future.
Handled carefully, rotating WordPress security keys and salts is a low-risk, high-impact maintenance task that helps cut off stolen sessions and strengthens your overall security posture without permanently disrupting legitimate users.
