How to Automatically Rotate WordPress SALT Keys and Enhance Site Security

Share on Pinterest Share on LinkedIn Share on WhatsApp
Share on Pinterest Share on LinkedIn Share on WhatsApp

Rotating WordPress SALT keys regularly is a crucial but often overlooked task in maintaining a secure website. These keys encrypt authentication cookies and sensitive user data, helping prevent session hijacking and brute-force attacks. In this guide, you’ll learn how to automate the rotation of SALT keys using both a Bash script and WP-CLI, ensuring your wp-config.php remains secure without manual intervention.

What Are SALT Keys in WordPress?

WordPress defines eight unique constants in the wp-config.php file, known as SALT and authentication keys:

  • AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY
  • AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT

Each of these adds an extra layer of security to password hashes and user sessions. Rotating them will automatically log out all active users, which is ideal after a breach or on a regular basis for best practice.

Method 1: Bash Script to Replace SALT Keys Automatically

This shell script fetches a fresh set of keys from the WordPress API and replaces the existing lines in your wp-config.php file.

Bash Script

#!/bin/bash

# Path to wp-config.php
WPCONFIG="./wp-config.php"

# Check if wp-config.php exists
if [ ! -f "$WPCONFIG" ]; then
  echo "Error: wp-config.php not found."
  exit 1
fi

# Backup the original file
cp "$WPCONFIG" "${WPCONFIG}.bak_$(date +%Y%m%d%H%M%S)"

# Fetch new keys
SALT=$(curl -s https://api.wordpress.org/secret-key/1.1/salt/)

# Verify the response
if [ -z "$SALT" ]; then
  echo "Error: Could not retrieve new SALT keys."
  exit 1
fi

# Remove old SALT definitions
sed -i '/AUTH_KEY/d;/SECURE_AUTH_KEY/d;/LOGGED_IN_KEY/d;/NONCE_KEY/d;/AUTH_SALT/d;/SECURE_AUTH_SALT/d;/LOGGED_IN_SALT/d;/NONCE_SALT/d' "$WPCONFIG"

# Append new keys
echo -e "\n$SALT" >> "$WPCONFIG"

echo "SALT keys updated successfully in $WPCONFIG"

Method 2: Rotate SALT Keys Using WP-CLI

If you have WP-CLI installed, you can take advantage of its wp config set command to update SALT values dynamically. Here’s how.

WP-CLI Script

#!/bin/bash

# Check for WP-CLI
if ! command -v wp &> /dev/null; then
  echo "Error: WP-CLI is not installed."
  exit 1
fi

# Backup wp-config.php
cp wp-config.php wp-config.php.bak_$(date +%Y%m%d%H%M%S)

# Fetch and update each SALT key
for KEY in AUTH_KEY SECURE_AUTH_KEY LOGGED_IN_KEY NONCE_KEY AUTH_SALT SECURE_AUTH_SALT LOGGED_IN_SALT NONCE_SALT; do
  VALUE=$(curl -s https://api.wordpress.org/secret-key/1.1/salt/ | grep $KEY | cut -d "'" -f4)
  wp config set "$KEY" "$VALUE" --raw
done

echo "SALT keys updated via WP-CLI."

Additional Best Practices

  • Always back up your wp-config.php before modifying it.
  • Automating key rotation via a cronjob every 30–60 days is recommended.
  • Changing SALT keys will force all users to log in again, which can be useful after a security incident.
  • Combine SALT key rotation with other security enhancements like 2FA and login rate limiting.

Conclusion

Keeping your WordPress installation secure goes beyond updating themes and plugins. Automating SALT key rotation is a proactive and effective way to improve authentication security, reduce attack surfaces, and enforce session expiration. Whether you prefer Bash scripting or WP-CLI, both solutions presented here can be adapted to your server environment and workflow.

Source: WordPress Directo

Share on Pinterest Share on LinkedIn Share on WhatsApp

Related articles

Sponsored articles     Web Design Service     Contact     About MyR

© Copyright 1995-2024 Color Vivo Internet, SLU. Other content cited source. Stackscale’s cloud infrastructure dedicated servers.

Scroll to Top