Advertisement
  1. Code
  2. Coding Fundamentals
  3. Security

Auto-Update Your WordPress Salts With WP-Salts-Update-CLI

Scroll to top

Raise your hand if you manage more than five WordPress sites. Keep it raised if the number exceeds ten. WordPress security is a primary concern for all site owners, and it becomes even more grave if you have multiple sites to take care of. Because you cannot monitor all the sites all the time, you need a quick and easy fix to protect your sites from brute force attacks.

WordPress security keys and salts offer a robust solution to harden your site security. They play a significant role in securing site cookies and stopping hackers from accessing your site. 

Changing salts (manually or via an online key generator) for every single website can be time-consuming. So what if I tell you that you can update your WordPress salts for all your sites in a few seconds? Yes, it is possible! Today, I'll share the incredible WP-Salts-Update-CLI, which can help you update your salts in a jiffy.

In this post, I am going to discuss a few basics about WordPress salts and how this CLI works. Let's begin!

Security Keys & Salts in WordPress

In WordPress version 2.6, security keys and salts were introduced as authentication variables to improve the security of your login credentials. They add protection to your site's username and password, which get stored in the user’s cookies. They are found in the wp-config.php of every website right below the database credentials.

At present, four different security keys exist: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY. 

Each security key has a corresponding salt too. These salts are AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT. 

Here's a screenshot of the wp-config.php from one of my demo websites.

WP Security Keys  SaltsWP Security Keys  SaltsWP Security Keys  Salts

WP-Salts-Update-CLI

WP-Salts-Update-CLI (WPSUCLI) provides an automated solution to update WordPress salts through a CLI. WPSUCLI downloads new salts from the WP API and replaces them with the ones in your wp-config.php file for every site on your server. 

You can see the complete code in the project GitHub repo. Here is the main loop:

1
# The PWD.

2
THE_PWD=$(pwd)

3


4
# Start the loop.

5
find . -name wp-config.php -print | while read line

6
do

7
	# echo "LINE: $line"

8
	SITE="$(basename "$(dirname "$line")")"

9


10
	# Get dir path where wp-config.php file is present.

11
	DIR=$( cd -P "$( dirname "$line" )" && pwd )/

12
	# echo "DIR: $DIR"

13
	cd $DIR

14


15
	echo "-"

16
	echo "${wb} ${bf}--------------- ⏲️  UPDATING SALTS FOR: $SITE... ---------------${r}"

17


18
	## Download the new salts to file cal salts.

19
	curl "https://api.wordpress.org/secret-key/1.1/salt/" -sSo salts

20


21
	echo "${wb} ${bf}--------------- 🎯  SALTS DOWNLOADED... ---------------${r}"

22


23
	# Split wp-config.php into 3 on the first and last definition statements.

24
	csplit wp-config.php '/AUTH_KEY/' '/NONCE_SALT/+1'

25


26
	# Recombine the first part, the new salts and the last part.

27
	cat xx00 salts xx02 > wp-config.php

28


29
	# Tidy up.

30
	rm salts xx00 xx01 xx02

31


32
	echo "${gb} ${bf}--------------- ✔︎✔︎✔︎ DONE! SITE: $SITE SALTS UPDATED!!! 💯 🎉 ✔✔✔ ---------------${r}"

33
	echo "-"

34
  cd $THE_PWD

35
done

This works by first finding every wp-config.php file in the directory subtree, starting with the current working directory. Then, it downloads the new salts, adds them to the wp-config.php file, and cleans up the temporary files.

Getting Started!

Open a command line terminal (I prefer iTerm2) and run the following command in the root of your server.  I am installing it in my local Mac environment to update the salts of my site's local images, which I will sync via SFTP later.

1
sudo wget -qO wpsucli https://git.io/vykgu && sudo chmod +x ./wpsucli && sudo install ./wpsucli /usr/local/bin/wpsucli

This command will perform the following actions:

  • Use sudo permissions.
  • Use wget to download WPSUCLI and rename it to wpsucli.
  • Make the wpsucli executable.
  • Install the script.

The last part—&& sudo install ./wpsucli /usr/local/bin/wpsucli—is meant to install this script in macOS. You can ignore this in other environments. It installs wpsucli inside the /usr/local/bin/ folder.

Usage

  • Just run wpsucli and it will update the salts for every wp-config.php file on your server or PC.
  • If you are running it on your server then run it from the root folder, i.e. first cd / and then run wpsucli.

If for some reason the script doesn't work, you might want to check the output of the command find . -name wp-config.php -print. As we saw above, this is the same find command that is used in the script. It should print the paths for all the wp-config.php files present in your current directory or directories within it. If it doesn't display the paths, then you're probably starting in the wrong folder! Try going to your user folder or the root—cd ~ or cd /—and running wpsucli again.

Final Results

Before I run these commands to show how this CLI works, let me show the current salts of one of my wp-config.php files.

1
define('AUTH_KEY',         '~Efg4jcdm9`-]B.r?x0HqI6eCJ~*M7rRN?01I(i In1~*clcP6Q>BMtJnvES+$Cv');
2
define('SECURE_AUTH_KEY',  '+Qh(L@4Rh^Rll+R1V1)[]d[cvU25[2%Eg}CE(PA/.<{.j+oa_{L>xi_OWRu`.8E(');
3
define('LOGGED_IN_KEY',    'n7~+XV6E[S3%!)h>TmP]<$nX)R]TGL$|;7zl]uz5C8k{B[0-JWcvonYwp3X4XG%(');
4
define('NONCE_KEY',        '%~cM.TBmgsL8ed7is|(>J GM>b&}I3Wl,K;/mSu#|KmUa|=D6(]MVqBlC&0txCEH');
5
define('AUTH_SALT',        '(V>0C,[]0g T&]4AJPD-TEPIaH$E<Md%_?caPOA|=~{2|WyPy4u>K6=/+aY,t#{*');
6
define('SECURE_AUTH_SALT', '3<uyG[T48_KW]d2|wNXK6WYSDgwbZ2Q~VWI:]&?ys%Y2}*hhwGwbr)PUxYe)sZ4b');
7
define('LOGGED_IN_SALT',   ']<hq6?IU>osk?Z+`mux_h</YMwhF%2Gm!b|~caO+z8+Ju{xPz?EgSaJBzWbv_Xn7');
8
define('NONCE_SALT',       'k5h`<*}FBp0#oL-z^.-fLj9J%|wU>H:zT4KEnMrv{r0XJ-Bc+Pf?::N]YP&Rqu$D');

After running the commands in my iTerm, I was notified about updating salts with the following:

WP Salts CLIWP Salts CLIWP Salts CLI

Now if I look at the salts, they have been entirely changed.

1
define('AUTH_KEY',         ';iCfD K=:j(m|3D+ |0d|4e|KqgR|].A/4,*RFgIyjf$>^f?OI)XI}).g> H;Xb7');
2
define('SECURE_AUTH_KEY',  'MK`^4R+@]1.-aTLVnd/0Zo6F~]X..XsvgM>V6hx.g*^? <mX2M@t0War7t*k~&B-');
3
define('LOGGED_IN_KEY',    'f^o(RAd6cs5/#KMu|+p[;u@RE:]-q[Xhp]YWH0i@(s>I/!)i4jr!,Oc 2k`+[JAu');
4
define('NONCE_KEY',        'SN&t[ -2=*YvU<k.?Jnm>U?AC,itu8])9eq5b8}@D+T!E>+m0hC6~>H8wR1s*2|}');
5
define('AUTH_SALT',        '0y?oq%cIyYkj|/]9(UvPj>dte_?s.lV2#_+Hk~^#seF`XD$MX@QuAryj0--7tc)k');
6
define('SECURE_AUTH_SALT', 'kf+lnL)Ea5;#/CE+ybUH@t}W!N@1V.quvY+NAZn;yg-mzj,ImJ>jk/2N}9hx&K+@');
7
define('LOGGED_IN_SALT',   '+s.&l/ovLDXc;>~Ir+gxwlJNze5Ola5tx3-ytgzkbnhm-}j&I>di[jB:vfUT9ysQ');
8
define('NONCE_SALT',       'Exc8OkW[IOHH=&?_l/;w $)F9R$=DR~e%|Z&3p9x|0U*;GrRq{T8x^Z~#-.&/j*}');

It is that simple!

Your Turn

Now it’s your turn to try this CLI and update your WordPress salts with WP-Salts-Update-CLI. If you have any issues, make sure you report them on GitHub. Pull requests are more than welcome.

Have you tried this out? Let me know about your experience. Drop in your feedback in the comments section below.

Advertisement
Did you find this post useful?
Want a weekly email summary?
Subscribe below and we’ll send you a weekly email summary of all new Code tutorials. Never miss out on learning about the next big thing.
Advertisement
Looking for something to help kick start your next project?
Envato Market has a range of items for sale to help get you started.