Add Security, Salt Keys for User Cookie Encryption in WordPress

It's like having Evelyn Salt guard your Blog! ... Almost...

[This post is part of the Ultimate Guide to Launching a WordPress-Powered Blog series.]

After installing WordPress initially there are more than a few things that you’ll want to do to increase the security of your blog installation and one of them is adding the 8 Secret (or Security and Salt) Keys into your wp-config.php file.

These 8 keys were introduced by WordPress to help better encrypt the information stored in the user’s cookies. Not sure what a “cookie” is? Here’s a good definition:

A cookie, also known as a web cookie, browser cookie, and HTTP cookie, is a piece of text stored on a user’s computer by their web browser. tweet

A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data. tweet

And yes, WordPress uses cookies so it’s better to upgrade their security settings, right? What does this mean practically and in layman’s terms? It means:

  • Your blog is harder to hack.
  • The access to your blog via scripts and malicious people is made much more difficult.
  • The randomly-generated security key can take years to hack. Combined with a “salt” key, it’s very tough to beat!

Not sure what any of this actually means? That’s fine! You’re still going to want to do it, and it’s not too hard.

Here we go:

1. Generate Random Keys

This part is easy: Go to WordPress’ own online generator found here and copy this information into a text pad:

Got them? Great.

2. Paste Keys into wp-config.php

Using your favorite FTP application (here are my favorites) you’ll want to find your wp-config.php file located in the root of your WordPress installation:

Open the wp-config.php file and it should look something like this:

Now just copy and paste the keys that the online generator created for you into this file like so:

Then save your file and you’re done! You can now rest a little more easy knowing that you’ve made a significant improvement to the security of your WordPress blog!

Well done!

[This post is part of the Ultimate Guide to Launching a WordPress-Powered Blog series.]

  • Mutant Minds

    Ah! Clever image for this post.

    I wish there was an Evelyn Salt that would go around the world taking care of malicious hackers.

    I can see it now:

    “Dude, check out this new hack. I can get into wordpress and destroy posts. Uhahahahah!”

    “What was that noise?”

    “Dude, it was nothing. Now lets hack”

    (Suddenly – Window crashing. Bullets tearing into the monitor screen. Keyboard keys flying. Windows XP, Vista, 7 crashing. Screams of panic. Fingers being broken to hack no more.)

    “Dude, run!!!”

    “Too late man, its Evelyn Salt!!!”

    • John Saddington


    • Peter P

      How do you know there’s not one already…..?


  • Brian Alexander

    Was this included in Standard Theme? It was already in my wp-config.php file.

    • John Saddington

      some of them are auto-created via wordpress if you don’t declare them.

      • Erik Scottberg

        This may be a simple question, but I’d rather ask first instead of just changing things and end up breaking something. (Been there. Done that.)

        So if some of these are auto-created, should I just overwrite all of them with the ones created from the online generator or just add the ones that aren’t already there?

        In other words, I already have 1-4. Do I copy over 1-8 or just 5-8?


        • John Saddington

          you can copy over if you’d like. no harm done. just make sure you have them!

          • Erik Scottberg


            • John Saddington

              sure thing!

  • Albert

    Great post John. Many people assume they are always hacked and they don’t know what happened but it’s a matter of securing your stuff. Would we leave the keys to our homes on the front porch?

    Following directions like this can save a lot of problems down the road.

    Another big security concern that was fixed n the latest WP update was the concern of XSS on a wp blog.

    • John Saddington


  • Randy Kinnick

    Got it! Done. Thx.

    • John Saddington


  • Jimmy King

    Awesome tip, thanks!

    • John Saddington

      sure jimmy!

  • Blake

    So….if they were auto generated on install, is there value in getting a new randomly generated “salt key”? Or is it just as safe/secure to keep it as is?

    • John Saddington

      i always replace mine out of habit.

  • ThatGuyKC

    Worked like a charm! Thank you for the easy walk through!

    • John Saddington

      sure thing bro!

  • bman

    I know I’m late to the party, but what does this do?

    Mind you, I’m doing it anyway. I’m just wondering how it’s securing stuff.

    • John Saddington

      it essentially makes the cookie sessions that your blog creates harder to “guess” and thus hack.

  • Joe Chavez


    Dude. I love you, man. It’s posts like these that make me want to drive/fly/walk to Atlanta and buy you the biggest cup of coffee there is!

    I’m having all sorts of MySQL issues with my ISP and I’m doing everything I can to stem the usage. We’re thinking it’s spam traffic. So between these new Salt keys, SI Captcha, and removing some funky plugins I had–oh yeah–and correctly installing/configuring W3 Total Cache, not only is my blog screaming fast now but I’m hoping the MySQL issues go away.

    May God continue to watch over you, your family, and prosper your business!


    • John Saddington


      thanks so much bro! i really do appreciate it. and yes, i’ll take that cup of coffee…!



    Hello john,

    i think the new wordpress got this covered…just an info


  • Pali Madra

    Thank Jhon for the excellent post.

    Is it advisable to regenerate and replace the salt keys? If yes, how often? Is the process of regenerating the salt keys and adding them to wp-config.php fairly simple?

  • Dan Lugo

    Hey John! I’m going step by step through the whole deal here. My wp-config.php only has one line of code. Have things changed considerably since you wrote this? I’m on Dreamhost and did the quick install, then ran through the prior post on setting up for security.