Skip to main content




WordPress es uno de los sistemas de gestión de contents más conocidos y populares del mundo. Por consiguiente, WordPress es un target usual de vulnerabilidades de seguridad, como ataques de fuerza bruta, inyección SQL, malware, secuencias de comandos entre sitios y ataques DDoS. De hecho, recientemente, una nueva variedad de malware llamada Clipsa is launching brute force attacks on WordPress sites, stealing cryptocurrencies by hijacking the clipboard.

WordPress es tan seguro como la cantidad de esfuerzo que dedique a mejorar la seguridad de su sitio. Como propietario de un sitio Web, es su responsabilidad mantenerse alerta e llevar a la práctica una strategy de seguridad proactiva para prevenir ataques maliciosos. El uso de contraseñas y nombres de Username débiles, la falta de actualización del núcleo y los complementos de WordPress y el alojamiento de mala calidad se encuentran entre los errores de seguridad comunes que cometen los propietarios de sitios web, lo que facilita el acceso a piratas informáticos maliciosos.

WordPress es un CMS altamente seguro a su manera. A pesar de todo, mantener su sitio con WordPress a salvo de los ciberdelincuentes requiere que mejore su postura de seguridad y su credibilidad en línea. Pasos simples como actualizar el núcleo de WordPress, elegir un proveedor de alojamiento de WordPress seguro, prestar atención a domain name Security and the use of a strong password can help block malicious bots and attackers.

In this post, we will focus on WordPress salts and security keys and their role in ensuring that you don't have to deal with the consequences of malware attacks.

What are WordPress security keys and salts?

Cuando un usuario inicia sesión en el sitio de WordPress, se crean varias cookies en la computadora. Estos se utilizan para verificar la identidad de los usuarios registrados. Si un pirata informático ingresa a su base de datos o encuentra sus cookies, es posible que pueda leer su contraseña, lo que hace que su sitio be vulnerable a los ataques.

WordPress usa claves de seguridad y sales para brindarle una salida críptica que se almacena en la base de datos o en la cookie, lo que agrega una capa de seguridad a su sitio web.

Two of these cookies are:

  • WordPress_ [hash] It is used only in the admin page or in the WordPress dashboard.
  • WordPress_logged_in_ [hash] used in WordPress to determine if you are logged into WordPress.

The authentication details stored in these cookies by WordPress are hashed (cryptic values assigned) using the random patterns that are specified in the WordPress security keys.

wordpress-security-keys-8092397

WordPress security key is a password that contains a set of long, complicated, random variables that enhance encryption, making it almost impossible to crack your password. The latest version of WordPress uses four security keys, each with its corresponding salt that can increase the security of your WordPress website.

These are:

  1. AUTHENTICATION KEY se puede utilizar para realizar cambios en el sitio. Le ayuda a firmar la cookie de autorización para no SSL.
  2. SECURE_AUTH_KEY It is used to sign the authorization cookie for the SSL administrator and is used to make changes to the website.
  3. LOGGED_IN_KEY It is used to create a cookie for a user who is logged in. It cannot be used to make changes to the site.
  4. NONCE_KEY is used to sign the nonce key. This key protects the nonces from being generated, thus protecting your site from attacks.

You will find these keys and authentication salts in the wp-config.php file, located in the WordPress root folder.

WordPress sales they are random data strings that encode the security keys and add an additional layer of protection to the site and your credentials.

wordpress-salts-2783757

As you can see in this image, each security key has a corresponding salt, namely AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT.

Why use WordPress security keys and sales?

WordPress utiliza cookies para rastrear la identidad de los usuarios que inician sesión en su sitio web. Estas cookies se almacenan en la cuenta del panel de control de su sitio, dicho de otra forma, del lado del client. Para un mejor cifrado, los detalles de autenticación (tanto el nombre de usuario como la contraseña) se codifican utilizando un conjunto de valores aleatorios especificados en las claves de seguridad de WordPress.

Thus, a randomly generated encrypted password such as "65a3ds2873ba27us36sd89s0fc" is extremely difficult to crack compared to an unencrypted one. Thus, website owners must use WordPress security keys to protect their site's cookies and prevent malicious hackers from accessing the site.

How to change WordPRess keys and salts manually

You can configure secret keys and salts manually or through a WordPress security plugin. If you have a self-hosted WordPress site, you will have to add the security keys yourself.

Please note: we only recommend manually editing WordPress files if you are a developer or comfortable working with code at an intermediate level or higher. If you are a beginner, skip to the recommended plugins below.

First, use the random generator in WordPress to get a unique secret key.

Generate keys

A continuación, inicie sesión en el administrador de archivos de su panel de control o a través FTP. Desde aquí ubique el archivo wp-config.php para modificarlo.

locate-wp-config-6327193

Open the file and scroll down to the "Authentication keys and unique salts" section. This is where you can add the secret keys that you previously generated.

wpconfig-keys-salts-section-2981922

Once you save the file, you will be prompted to log in again.

Use a plugin to update keys and sales

Like most things in WordPress, you don't have to do it manually. Various WordPress plugins can be used to automate the process on your behalf. They are a quick and easy way to change your passwords and exit WordPress. Here are two that we recommend.

IThemes Security

ithemes-security-e1524768685119-8897956

Information and download

The current version of iThemes Security (Free v4.6 + or iThemes Security Pro v1.14 +) comes with a time-saving security feature that easily updates WordPress security keys and exits. It offers an update reminder every month and avoids the need to manually generate a new set of keys or edit your wp-config.php file.

To update the keys and sales, go to the 'WordPress Sales' section in the 'Advanced' tab, click on the checkbox next to 'Change WordPress sales' and in conclusion click on the 'Change sales' button WordPress'.

ithemes-change-salts-8230281

IThemes Security Pro ofrece funciones adicionales como autenticación de dos factores, escaneo programado de malware y reCAPTCHA para detectar software malicioso y agregar una capa adicional de seguridad a sus páginas de inicio de sesión de WordPress.

Salt shaker

salt-shaker-wp-plugin-7503981

Similarly, Salt Shaker offers impressive features and settings like manual and immediate WP security keys and sales changes to enhance WordPress security.

salt-shaker-change-keys-8928122

At the same time, after installing the Salt Shaker plugin, you can configure the scheduled job for automatic salt change. All you need to do is check the box and choose daily, weekly or monthly settings.

In both cases, the plugin is programmed to send automatic reminders to update WordPress keys. As a consequence, it simultaneously forces all registered users to go through the login process again. All of these features help protect a website from brute force attacks and other hacking attempts.


When it comes to protecting your WordPress site, prevention is the way to proceed. The strong combination of security keys and WordPress exits makes it difficult for hackers to crack website passwords. This is how WordPress offers improved security for user sessions and protects data.

Finally, here are some things to keep in mind when updating security keys and WordPress exits.

  • After starting your WordPress site, change the security keys and the salts.
  • Always use the WordPress salt key generator to create security keys. Do not do it yourself. Alternatively, you can automate the process using a WordPress plugin.
  • Updating the security keys and WordPress exits will invalidate all existing cookies, causing all users to be disconnected instantly. So, when changing them, keep in mind that some users may be online.
  • If you see signs that your site is under attack, update WordPress security keys and encourage your users to change their password.

Have a question about security keys and salts? Or tips that you would add? Let us know in the comments!