WordPress Security Keys – What, Why & How

Bunch of keys

What are they?

The WordPress security keys are eight random strings of characters, used to beef up the security of your cookies and passwords. More accurately, there’s four security keys and four corresponding salts – salts are extra strings that make it harder to crack passwords by adding extra pieces to them.

Why use them?

All too often, people use incredibly simple passwords that are easy to crack by using brute force attacks. WordPress security keys help to encrypt information in users’ cookies more securely, making your installation much more secure. They are not a substitute for creating a good password however and you should still employ sound password-creating practices such as including combinations of upper-case and lower-case letters, symbols, punctuation and numbers.

In short, security keys are like an extra bolt on the door – just one more thing to break in order to gain access.

How to use them

Adding security keys to your WordPress installation is actually a fairly simple task, so long as you are confident editing a PHP file.

All you need to do is find your wp-config.php in the root of your installation and open it for editing. Look around for the following piece of code:

The next step is to create the unique phrases for each key and salt. You are welcome to try and create them yourself, however, the more random they are, the better and a computer is far better at being random than a human. It’s also easier for a computer to create 8 60-character strings than for you, so just save yourself the trouble and use the simple key and salt generator, a free tool provided by WordPress.

Once you arrive at that page, all you have to do is copy the entire page contents and replace the eight lines of code in wp-config.php with those created for you by the generator. An example of the code that you will be presented with is:

Now save your wp-config.php and you’re set to go.

You can change these periodically if you so choose and should definitely do so if you experience a security breach. The only drawback is that any logged in users will have to log back in as their cookies will become invalid.

What other security practices do you employ on your installation?

11 thoughts on “WordPress Security Keys – What, Why & How”

  1. tech wench says:

    Thanks for the post as it gives good guidelines as to how to give security to the wordpress cookies

  2. Your every post is great to read. And now i subscribed your feed to be updated with you. Good work !!!!

  3. Michael says:

    Thanks, I’ll give this a try. Security online is as important, or more so, than offline. More people should realize that by now.

    1. Dave says:

      I’d say they’re equally important, but while you’re not going to lose your credit card details by having your WordPress installation hacked, you can lose an awful lot of work and cause yourself a lot of hassle trying to get it all fixed.

  4. Manie says:

    I think all blog owners should consider using security keys. Don’t wait till you get hacked before you start thinking about security. Now is the time.

    1. Dave says:

      Absolutely. Typically, people will unfortunately wait until the worst happens before they take action. Security should be a paramount consideration for any blog owner.

  5. Kimi says:


    I am sure there are still lots of people who don’t know about this.

    Although there are tons of other things to secure our wordpress blogs, this is very essential and a must-do and check

    Thanks for bring it up!

    1. Dave says:

      Indeed. I think I’m going to write an article with general security measures that need to be included as standard, such as using the security keys.

  6. kenny says:

    Can you add the security keys after you have installed wordpress? Or can it be difficult like changing the database prefix when you have already installed wordpress?

    1. That’s a really good question Kenny. You can install these in an existing site without any problems. The worst thing that will happen is that you might need to login again after you install them. That’s it.

      1. kenny says:

        Awesome! Thanks for the help.

Leave a Reply