What are WordPress Salts?

If you ever looked at your wp-config file I am sure you noticed these weird looking constants with a bunch of characters. You were either told not to ever touch it, or you just realized that this must be something very important. Better leave it alone.

define('AUTH_KEY',         '`.]rR5tJuTg0|P(I/8T/~|tfM<Bao#nl9}ZI&Kk8KE0Fl1|>Nd5d.qKmv =R5]J_');
define('SECURE_AUTH_KEY',  '_+wnzQ>ky%d_t3V5-1~;?]P$fB7~eSm9dZQLUz.j`{|l1F@b3u5+[D<Z2iEHg|2t');
define('LOGGED_IN_KEY', 'Seo|3BcJ kep g12dk(pOG=E.0ZNpI_?veM;+|[|^p4zP4-vm#>`6&xH@[opqx]:');
define('NONCE_KEY',        '!]I|MGcy`>JBYWNzk+dp/#rM@?++)Ec;64Ofda&U=G 4<r~!_biFxJRE`cg#SJb ');
define('AUTH_SALT', '#+SSPO7DV]EePy`6Nb,+-+td8^52|NobsFzggBhwun0X@,;XM=Ev:Bn/%-Qe ncp');
define('SECURE_AUTH_SALT', 'kQN5H% -,Q[Bzp.}:M#g?>M[uG,CFR4@?.QgI?}lB4Q`HMFc{4Hj&x+rhxVJt/t-');
define('LOGGED_IN_SALT',   'd|o[lbz{P>0ja7_cgphTnn@T+c)OGhc#PrDTm+s>/LELF|X6Q4?C-[,#oQs%1m]S');
define('NONCE_SALT',       'ky]--Mx-h25s<_nYj4:*o-HDV:md-|<HK|g$jql$=Z> T p~OE?Xy-%so#R{k(/A');

But what are these values?

Well, these are what we call WordPress salts. To see why they are useful, we have to understand how the authentication in WordPress works. The WordPress developers choose the authentication method to be implemented with cookies. Which might seem like a weird choice since we all know that cookies are stored in the user’s browser and they can be modified or deleted.

When a user tries to access post-authentication resources, WordPress will check for the authentication details with the auth cookie and validate it with the wp_validate_auth_cookie() function.

You can check the auth cookie created for your website with your browser’s developer tools. The cookie will store something similar to the following:
wordpress_kn123jk5i9reid9i113nj=admin%1412328395%76sdafec678ec8ec7e97ce

While this might seem gibberish at first, it really is just a combination of the following information:

• A hashed value of your website URL with MD5
• Your username
• An expiration date
• A hashed value created from the auth key’s and the salt values using the wp_salt() function

And the last part is the one that ensures that your website can only be accessed by authenticated users.

So should you ever touch the salts?

Well, yes and no. While everyone agrees that the current method is secure, changing the salts regularly might add an additional layer of security. However, the users will have to re-login after. So a specific use-case might be when you want all the users to be logged out.

And how can you modify them?

You really shouldn’t just go and change a few characters. Fortunately the WordPress developers provide us a handy API to generate secure salts here. All you have to do is copy and paste the generated authentication keys and salts to your wp-config file. Don’t worry, the page will generate a unique set of salts on each request.