Login Get Started
Support
Documentation
Privacy

What are “salts” and “hashes”

If you’re not a programmer, these terms might sound confusing (or like breakfast foods). In data security, salts and hashes describe how we transform personal data (like IP addresses) so it can’t be traced back to an individual.

  1. Hash
    • A hash is a one-way transformation of data. Input data—such as an IP address—gets scrambled into a random-looking string (e.g., a7d93f2...).
    • It’s called “one-way” because it should be extremely difficult (practically impossible in many cases) to derive the original input from the hash.
  2. Salt
    • A salt is a random string added to the input before hashing. By mixing the salt with the IP address (and potentially other info, like user agents), the resulting hash becomes far more difficult to “reverse” or guess.

IP Anonymization (the first step)

Before any hashing happens, WP Statistics anonymizes your visitors’ IP addresses. For example, if a visitor’s IP is 192.168.0.15, the plugin stores it in a partially obscured form like 192.168.0.x. So, we never save the full IP address—this already goes a long way toward protecting your visitors’ privacy.

Daily salt + SHA-256 (from version 14.12.3) + truncation

Here’s how WP Statistics turns your visitors’ anonymized IP (plus other data) into an anonymized hash:

  1. Anonymize the IP
    • WP Statistics masks the last segment of the IP.
  2. Daily Salt
    • Each day, WP Statistics generates (or retrieves) a unique salt specific to that date.
    • This means yesterday’s salt can’t be used to decode today’s data.
  3. Combine IP + Salt + User Agent
    • We take the anonymized IP, the daily salt, and the visitor’s user agent string (browser/OS info) and combine them into a single string.
  4. Hash the data (SHA-256)
    • As of version 14.12.3, we use SHA-256, which produces a 64-character string in hexadecimal format.
  5. Store only the first 40 characters
    • To keep database usage lower (and for historical compatibility with prior versions that used SHA-1, which was 40 characters long), WP Statistics truncates the SHA-256 hash to the first 40 characters.
    • Only these 40 characters are stored in your database.

Even with the truncation, your visitors’ IP addresses remain private. A partial SHA-256 hash is still exceptionally difficult to reverse, and the daily salt ensures data can’t be correlated across days.

A quick example (simplified)

  1. Original IP: 192.168.0.15Anonymized192.168.0.x
  2. Daily Salt: f4b76ad8e1f... (randomly generated)
  3. Combine: f4b76ad8e1f + 192.168.0.x + Mozilla/5.0 ...
  4. SHA-256 Hash (64 chars total): 02c84f6040b8433c350e740246e3feea1d44dba52551f21b3bdd...
  5. Record Only the First 40 (e.g.): 02c84f6040b8433c350e740246e3feea1d44dba5 This 40-character hash is what goes into the database.

Limitations and Considerations

While our approach provides robust privacy and accurate visitor counting, it does come with a few trade-offs:

  1. No long-term tracking
    • Because the salt changes daily, the same visitor on different days is counted as unique.
  2. No “returning visitors” metric
    • We do not store persistent identifiers that track users across days or sessions.
  3. Daily uniqueness
    • A visitor who returns multiple times within the same day is counted as one unique visitor for that day.
    • A new day (with a new salt) means they’ll be counted as a new visitor again.

These limitations are by design to preserve visitor privacy. If your analytics requirements include long-term user tracking, you’d need a different approach that would inevitably store more personal data.

Why SHA-256?

We moved from SHA-1 to SHA-256 in version 14.12.3:

By truncating to 40 characters, we maintain compatibility with databases and systems expecting a 40-character field, while still preserving a high level of security and privacy.

Conclusion

At WP Statistics, we anonymize IP addresses, use a daily salt for every visitor, and then hash that data with SHA-256 (storing only the first 40 characters). This process ensures:

We believe these trade-offs are worth it to protect privacy. If you have any questions or need more advanced features, feel free to check our documentation or reach out to us!

Related Posts

Let’s get started
Take your business to next level

Become part of our growing family of +600,000 users and get the tools you need to make smart choices for your website. Simple, powerful insights are just a click away.

Get WP Statistics Now