How to Change WordPress security keys (Salt) and why?

The WP security keys (or so called Salt) are essential part of your WordPress security checklist. The ‘salt’ that the keys add to your password further protects it from hacking attempts by improving the encryption of the information stored in WP related cookies.

These keys are so important that with the newer versions of WordPress they are automatically added to your  WP config file. Still, as recommended in our article dedicated to WordPress Security, it is preferable to update your security keys with new ones once you install WP for the first time.

In case your WP gets hacked/compromised, it is essential that you change your WordPress keys immediately – after you change your WP admin password! This is necessary because a hacker can still login to your WP admin even if you change your WP password – thewordpress security keys reason for that is that because most of the times when a WP gets hacked the hacker still remains logged in to your WP admin  via the use of cookies (in which your old keys/salt are contained).

Below are the steps you will have to perform in order to replace your current WordPress security keys.

1. Open and then refresh your browser. Then copy the eight key values.

2. Open your wp_config file, which is located in your root WP folder (for example public_html of your hosting account). You will see these rows:


* Authentication Unique Keys and Salts.


* Change these to different unique phrases!

* You can generate these using the {@link secret-key service}

* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.


* @since 2.6.0


define(‘AUTH_KEY’, ‘put your unique phrase here’);

define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);

define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);

define(‘NONCE_KEY’, ‘put your unique phrase here’);

define(‘AUTH_SALT’, ‘put your unique phrase here’);

define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);

define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);

define(‘NONCE_SALT’, ‘put your unique phrase here’);


3. Replace the existing security keys by pasting the new ones you have obtained from the random generator (make sure to save your file and changes).

4. If the three steps above are preformed as instructed ALL users will be now prompted to log in again (BINGO!)

This means that if someone has gained previously access to your WP admin – they will also have to log in again, and since you have changed the password with a new one (don’t forget to change your WP admin password), and old cookies are no longer valid, the access will be denied.

Just to be on the safe side, you can replace these keys every few months.

We hope  you find this article useful. If you are confused or need further assistance please, do not hesitate to contact our support.


MochaHost Team.

Leave a Reply

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.