Salt Shaker


By using Salt Shaker plugin, you’ll be able to harden your WordPress security. It allows you to change the salt keys either manually or automatically.

Try it out on a free dummy site:
Click here and you’ll get the chance to see it in action

Why Use SALT Keys in WordPress?

When you log in to WordPress, you have the option to remain logged in long-term. To achieve this, WordPress stores your login data in cookies instead of in a PHP session. Malicious individuals can hijack your cookies through various means, leaving your website vulnerable.

To make it harder for attackers to use cookie data, you can take advantage of SALT keys. WordPress SALT keys encrypt your password, making it harder to guess. What’s more, it’s next to impossible for hackers to simply ‘unscramble’ the result in order to get at the original password.

Read more on WPEngine Blog

What people says about Salt Shaker

Elgenat Themes

Like Salt Shaker? Consider leaving a 5 star review.

Salt Shaker Features

  • Improve your WordPress security.
  • Easy to use, set it and forget it, with minimal settings.
  • Manual and immediate WP security keys and salts changing.
  • Set automated schedule for keys and salts change.


Feel free to fork the project on GitHub and submit your contributions via pull request.


  • Plugin Settings.


  1. Upload salt-shaker folder to the /wp-content/plugins/ directory.
  2. Activate the plugin through the Plugins menu in WordPress.
  3. Navigate to Tools > Salt Shaker menu to configure the plugin.


Nothing happens?

Make sure that wp-config.php file has the salt keys. If for any reason the keys aren’t there; you can always generate a set of keys from this link and add it to your wp-config.php file. Once that’s done, the plugin will be able to shake them based on your settings.

The plugin isn’t working or have a bug?

Post detailed information about the issue in the support forum and we will work to fix it.

Custom wp-config.php location?

You can use this filter to define the file location salt_shaker_salts_file. Example:
In this example, the new location of the config file is in a folder that’s outside WordPress location in a folder called wpsecret. Make sure to replace it with your secret location 😉

function salt_shaker_new_file($salts_file_name) {
    $salts_file_name = '../wpsecret/wp-config';
    return $salts_file_name;

add_filter('salt_shaker_salts_file', 'salt_shaker_new_file');


18 May 2023 1 reply
Reviewed the changelog before installing, glad file permissions are now left alone, confirmed, all working as expected. Great plugin, thanks! 5-Stars!
09 March 2023
This is a simple, elegant and yet powerful addition to any security you might already have on your site/sites. I have been the victim of cookie hijacking. It wasn’t a pleasant experience! This plugin ensures you and your team log out according to a fixed schedule resulting in a fresh cookie when you log back in. Indispensable!
28 February 2023
This plugin (Salt Shaker) is amazing, and every WP website needs it. Use this plugin to keep your website secure.<gwmw style=”display:none;”></gwmw>
Read all 27 reviews

Contributors & Developers

“Salt Shaker” is open source software. The following people have contributed to this plugin.


“Salt Shaker” has been translated into 5 locales. Thank you to the translators for their contributions.

Translate “Salt Shaker” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • WordPress 6.6 compatibility.
  • Show admin notices only on the plugin page.


  • WordPress 6.5 compatibility.


  • WordPress 6.4 compatibility.


  • Minor bug fixes.
  • Updated Freemius SDK.


  • Quick fix for the wp-salt file path.


  • WordPress 6.2 compatibility.
  • Support for wp-salt files.
  • Introducing Salt Shaker PRO.


  • WordPress 6.1 compatibility.


  • WordPress 6.0 compatibility.
  • Fix an issue with the AUTH_KEY and AUTH_SALT keys not being changed.


  • Tested with WordPress 5.9.


  • WordPress 5.8 compatibility.


  • WordPress 5.7 compatibility.


  • WordPress 5.5 compatibility.


  • WordPress 5.4 compatibility.
  • Replacing some functions with standard WP functions.


  • Enhanced internationalization.
  • WordPress 5.3 compatibility.


  • Keeping the original permissions of the config file.
  • Performance improvement


  • Changing the config permission to 0640
  • Added: filters for additional salts


  • Tested with WordPress 5.1.
  • Added: link to the settings page from the plugins page.
  • Added: redirect to the login page after the immediate change action.
  • Added: check if wp-config.php is writable. How the heck this was missing?!
  • Added: Filter to define a custom salts file. salt_shaker_salts_file


  • Tested with the upcoming WordPress 5.0
  • #11 – Added more interval times, quarterly and bianually.
  • Fixed an issue with wp-config being in outside the root directory.
  • Fixed a bug when updating the cron, now the old cron job is deleted.


  • Tested with the upcoming WordPress 4.9
  • #9 – Change salts if wp-config.php is moved one directory higher than the document root
  • Setting the right permission to wp-config.php after changing the salts according to Codex recommendations.


  • #8 – Change line endings to LF


  • Security improvements


  • Improvements:
    ** Ensure the user is administrator before processing AJAX requets
    ** Escape attributes using esc_attr_e


  • WordPress 4.8 Compatibility.


  • WordPress 4.7 Compatibility.


  • Edited Arabic translation file.


  • Few enhancements
  • Multilingual Ready


  • Initial Release