Why Rotating Salts and Keys Is the Most Underused WordPress Security Move

WordPress salts and keys protect every session on your site. Almost no one ever changes them. Here is why rotating them regularly is one of the cheapest security wins available.

A padlock on a laptop, representing WordPress security keys

Open the wp-config.php file on any WordPress site. Roughly halfway down, there is a block of eight definitions with names like AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT. Each is a long random string. These are the WordPress salts and keys. They protect every authentication cookie and nonce your site issues. Almost no one ever changes them after the site is first installed. This article explains what they actually do, why rotation matters, and how to rotate them safely.

What salts and keys do

When you log in to WordPress, the site sets a cookie that proves your session is valid. That cookie contains a token. The token is signed using a combination of the keys and salts in wp-config.php. Without knowing both, an attacker cannot forge a valid cookie or modify an existing one without invalidating it.

The same secrets are used by WordPress to generate and validate nonces, the one time tokens that protect form submissions and admin actions against cross site request forgery. They are foundational to a lot of WordPress security.

If the secrets leak, any token signed with them remains valid until the secrets change. This is the part that matters for rotation.

When the secrets can leak

You might not think your wp-config.php has ever been exposed. It probably has not been deliberately. But a number of common scenarios can leak the file’s contents.

A backup archive sitting in the document root. If it was downloadable for even a short window, anyone who guessed the filename has the file. We have seen backup archives named with predictable timestamps that any attacker can enumerate.

A misconfigured server that served PHP files as plain text instead of executing them. Brief misconfigurations during deployments are surprisingly common.

A compromised developer or contractor’s laptop. The wp-config.php was sitting in a local copy of the site for years. If their machine was breached, so was the file.

A previous compromise on the site itself. If an attacker had filesystem access at any point in the past, they read wp-config.php and now have your secrets forever, unless you rotated.

What rotation actually does

Rotating the salts and keys does two important things. First, it invalidates every existing session on the site. Every logged in user, including any attacker still riding a captured cookie, has to log in again. Second, it invalidates every pending nonce. Any form submission relying on a token issued before the rotation will be rejected.

The first effect is the security win. If an attacker had a valid session cookie before the rotation, they no longer do.

The cost is small

The friction of rotation is one round of logging back in. That is it. Every user, including you, will be logged out the next time they hit the site. They sign in again with their normal credentials, and they are back in.

For a personal blog this is invisible. For a business site with multiple staff, send a quick email warning that the change is coming and that they will need to log in again. Five minutes of advance notice avoids confusion.

How to rotate

The mechanics are simple. Visit the official WordPress secret key generator at api.wordpress.org. It produces a fresh set of eight definitions every time you load it. Copy the entire block. Open wp-config.php on your server, either via SFTP or through your host’s file editor. Paste the new block in place of the existing one. Save the file.

On the next page request, every existing session is invalidated. The next time you load the admin, you log in fresh.

Before doing this in production, take a backup of wp-config.php. The risk is that you paste the new block into the wrong place and break the file. The backup gives you an instant rollback.

How often to rotate

For a small low risk site, annual rotation is a reasonable baseline. For a business site with multiple users, quarterly or semi annually. For a high traffic site with admins coming and going, after any staff change.

Always rotate after any of these events. A confirmed or suspected compromise. A staff member or contractor with admin access leaving. A backup file appearing in a place it should not have been. Any major server move that involved file transfer over an unsecured channel.

Combined with other hardening

Salt rotation is one of several low effort, high impact moves that compound when used together. Pair it with 2FA on every administrator account, regular plugin and core updates, an audit of who has access, and a clean wp-config.php that is not sitting in any public folder.

The total cost in time is an hour or two a year. The value is closing one of the longest lasting categories of WordPress compromise. Cheap, easy, and almost universally skipped.

Need a hand?

If you would like Smart Coding to rotate the salts and keys on your WordPress site as part of a broader security cleanup, get in touch. It is one of the small jobs we do as part of every onboarding.

Claire Smith Avatar
Sponsored Loved this story? Defyn turns articles like this into the websites your competitors wish they had. Talk to us → defyn.com.au