WordPress salts are a set of eight unique cryptographic keys that play a key role in securing your site. They include four authentication keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY) and four salts (*_SALT). These keys and salts help encrypt sensitive data like passwords and cookies, making it much harder for hackers to hijack sessions or steal credentials
Why They Matter
WordPress Salts add an extra layer of security during the encryption process, combining with your password to produce a hashed value. This means even if someone obtains your database dump or cookie, they can’t easily decrypt or reuse the data. They also ensure that cookies and other authentication mechanisms can’t be tampered with or forged.
Things to know about WordPress Salts
In simpler words, if you use any password, strong or weak, it will be left in the open to copy and breach, if not encrypted properly and stored for convenience and automatic login sessions through your device and browser.
That is where the WordPress Salts come in handy and deliver the needed security and customer experience for your WordPress website.
WordPress uses one part as Security Keys to encrypt the password and login information for each of your websites, specifically, then uses WordPress Salts Keys to synchronize them and further save browser cookies to store the information and log you in the WP Dashboard.
It is essential not only to keep your password and login information safe but also to use a strong combination of letters and digits with an underscore to minimize any unwanted entries through weak and likely guessable ones.
Where can I find my WordPress Salts?
When you install WordPress (including via WPX), these keys are automatically added to your wp-config.php file, located in your site’s root directory. To find them, follow the steps below.
Step 1. Log in to your WPX account
Begin by logging into your WPX account. You can do this by visiting the WPX login page.
Step 2. Go to Control Panel
Once logged in:
- Locate your hosting plan in the WPX client area.
- Click the Control Panel button next to the plan you wish to manage.
If you have more than five hosting plans of the same type (WordPress or WooCommerce), not all may appear on the homepage. Use the WordPress Hosting or WooCommerce Hosting tab in the left-hand menu to find your service.
Step 3. FTP Users & Files
In the Control Panel:
- Select FTP Users & Files
- After that, click the File Manager button to open it.
Step 4. Open wp-config.php
From there:
- Open the public_html folder of the site you want to check
- Double click the wp-config.php to open the editor mode.
WordPress Salts are encrypted and divided into two parts:
- The first one is your Security Keys and Login Information
- The second part is your WordPress Salts Keys, which contain and store the information for your browser to remember your login sessions:
Can WordPress Salts be edited?
Yes—while not required during routine operations, updating these keys can be a smart move if you suspect a security breach or want to force logouts for all users.
Manual method:
- Visit the official WordPress Salt Generator.
- Replace the existing salt/key lines in
wp-config.phpwith newly generated ones. - Save the file—users will be automatically logged out and prompted to re-authenticate.
Using a plugin (e.g. Salt Shaker):
Install and activate the plugin Salt Shaker from your WP-admin dashboard.
Navigate to Tools → Salt Shaker.
From the menu, the plugin showcases the existing WordPress Salts that you have on your website and in the configuration file.
You can regenerate salts manually (“Change Now”) or schedule automatic rotations (daily, weekly)
That’s it! You have successfully changed your WordPress Salts by using the methods above.
Stuck at any point? Don’t worry, just click the live chat widget in the bottom-right, and one of our support agents will assist you in under 30 seconds.