Search

Decoding WordPress SALTS and KEYS

    Sumit Pore
Listen to this article

WordPress uses SALTS and KEYS to store information in an encrypted format. In your wp-config file, you should notice these strings, added as Authentication Unique Keys and Salts.

Now, what are SALTS and KEYS?

Quick Cryptography Lesson:

[su_note note_color=”#fffcde”]

In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.
Salt (cryptography)

[/su_note]

A key is used to encrypt and decrypt data. Salts are randomly generated strings which make data encrypted with keys more secure.

[space]

How WordPress uses SALT and KEYS?

In WordPress, an example of using a salt and key, is to maintain a user’s login status.

As you know WordPress does not use sessions to maintain the login status of a user. Instead it uses cookies which are stored on the computer.

Now, if these cookies are stored in such a way, that replacing them with another user’s cookie, might log them in, you’re just inviting trouble. WordPress understands this, and hence uses salts and keys for the very same purpose.

It encrypts the cookie and then uses it. This encryption is handled using SALT and KEYS.

WordPress has a total of 4 pairs of salts and keys:

  • AUTH_KEY- AUTH_SALT
  • SECURE_AUTH_KEY- SECURE_AUTH_SALT
  • LOGGED_IN_KEY- LOGGED_IN_SALT
  • NONCE_KEY- NONCE_SALT

These salts and keys are used to generate hashes for different purposes. Now, to generate a hash WordPress uses the hash_hmac function, with a shared secret key parameter (set as a concatenated string of the key and salt values).

[space]

When Should You Use SALTS and KEYS?

As mentioned, the various SALTS and KEYS, used by WordPress, are stored in wp-config.php. Essentially, these are all constants. So, if you open wp-config.php on your WordPress website, you should find all these constants.

wordpress-salts-keys

If you want to change values of these constants, you can do that! You just need to use the Secret-Key Generating Service WordPress provides and grab new values.

Now, let’s take a look at each of these pairs in detail.

NONCE_KEY- NONCE_SALT

The NONCE_KEY- NONCE_SALT pair is used in nonce creation and verification, for example wp_create_nonce, wp_verify_nonce, check_ajax_referer, and so on. These functions are usually used when creating any sort of forms in WordPress. It is always recommended to have nonce in your forms to validate whether a form submission request was made from the current site and not from an external source.

Apart from Nonce, the other three pairs are used for logging in users and verifying their login status.

AUTH_KEY- AUTH_SALT and SECURE_AUTH_KEY- SECURE_AUTH_SALT

The AUTH_KEY- AUTH_SALT and SECURE_AUTH_KEY- SECURE_AUTH_SALT pairs are used to generate an authentication cookie. When a user tries to login, WordPress generates an authentication cookie and sets it on the computer. This cookie is generated by the function wp_generate_auth_cookie which is generally called by the wp_set_auth_cookie function.

Developers can use wp_set_auth_cookie in their code to login a user programmatically. Kuttler provides a great example of logging in a WordPress user programmatically.

If your site is on HTTP, WordPress uses the AUTH_KEY- AUTH_SALT pair to generate an authentication cookie. But if your site is on HTTPS, WordPress will use the SECURE_AUTH_KEY- SECURE_AUTH_SALT pair to generate a secure authentication cookie. A secure cookie can be accessed by only that part of the site which is secured or loaded over HTTPS. This means pages loaded over HTTP cannot use or read the content of this cookie.

LOGGED_IN_KEY – LOGGED_IN_SALT

The LOGGED_IN_KEY- LOGGED_IN_SALT pair is used to create a logged in cookie. This cookie is also created by the wp_generate_auth_cookie function, when a user tries to login to the WordPress system. So, WordPress basically generates two cookies when a user logs into the system- the authentication cookie and the logged in cookie. Both these cookies are validated by the wp_validate_auth_cookie function.

As stated by Ryan Boren in his article explaining SSL and Cookies in WordPress, logged in cookies just indicate that user is currently logged in, but does not authenticate access to the WordPress dashboard. Authentication cookies on the other hand, are used to access the admin panel, and to make changes on the site.
[space]
Remember, never reveal your secret salts and keys to anyone. If a WordPress website gets hacked, it’s always recommended to change your salts and keys along with changing user passwords.

So folks, that’s all from me for now. If you have any questions, ask away! 🙂

Picture of Sumit Pore

Sumit Pore

Leave a Reply

Your email address will not be published. Required fields are marked *

Get The Latest Updates

Subscribe to our Newsletter

A key to unlock the world of open-source. We promise not to spam your inbox.

Suggested Reads

Join our 55,000+ Subscribers

    The Wisdm Digest delivers all the latest news, and resources from the world of open-source businesses to your inbox.

    Suggested Reads