Have you ever heard of the WordPress keys and salts? And know what they do? If not, let me try to explain.
What are Keys and Salts
Keys are the WordPress secret keys. They are stored in wp-config.php in the root of your WordPress installation. These secret keys contain a long range of random characters, used to encrypt the password that is stored in the browser’s cookie.
Salts are like keys. They also contain a long range of random characters and are used to create an extra layer of security. They are not needed in wp-config, and if missing, WordPress will generate them for you.
This procedure makes it almost impossible for anyone to guess your password. For more information please visit this page on WordPress.org.
Adding The Keys and Slats
As said, at the moment you login on a WordPress website, a hashed value of your username and password is matched with the value in the database. These hashed values are created with a string of random characters, that are stored in the wp-config.php file.
After a clean install of WordPress this will look like this in your wp-config:
You can replace this whole section by going to the URL mentioned in the screenshot: the WordPress.org secret key service. Click on the link, copy the complete text and paste it over the original salts and keys. After that, the section in your wp-config will look like this:
Notice the random characters and you will understand why it will be very hard to crack your password!
Renew the Keys and Salts
Every once in a while you should renew the salts and keys. Just to be sure. This way you make it even harder to crack passwords. There are two ways to do that:
- By hand. Like I did in the example. Open the wp-config.php file and paste the salts and keys you took from the secret-key service.
- With a plugin. The plugin Salt Shaker can change the salts and keys automatically every day, week or month.
Keep in mind that the moment you have changed the keys and salts, everybody will automatically be logged out.