How to Generate WordPress Security Keys and Salts

Open any wp-config.php file and you will find a block of eight long, random strings labelled keys and salts. They look like noise, and that is the point. This guide explains what they do, when you should regenerate them, and how to do it safely.

What WordPress salts are

WordPress uses these eight constants to harden the cookies and sessions that keep users logged in:

• AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY
• AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT

Together they scramble (or “salt”) the authentication data WordPress stores in cookies. Strong, random salts mean that even if someone gets hold of a cookie, they cannot easily reuse or forge it. Weak or default salts make that attack far easier.

Generate fresh salts in two steps

1. Open the WordPress Salt Generator. It creates a full set of eight define() lines using your browser’s secure random generator.
2. Copy the block and paste it into wp-config.php, replacing the existing keys and salts section.

The keys are generated entirely on your device, so they are never sent over the network. That is important: a secret that travels to a third-party server is no longer fully secret.

Where the salts go

In wp-config.php, look for the section that starts with a comment about authentication unique keys and salts. Replace the whole block of eight define() lines with your freshly generated set. Keep the constant names exactly as they are; only the long string values change.

When to regenerate

You do not need to rotate salts on a schedule, but you should regenerate them when:

• You suspect a compromise, or you are cleaning up after malware or a breach.
• You want to force every user to log in again. Changing the salts instantly invalidates all existing sessions, which is a fast way to lock out an attacker who may have a stolen cookie.
• You cloned a site from a backup or staging copy and want the production site to have its own unique secrets.

After you save the new salts, you will be logged out and will need to sign in again. That is expected.

Keep the rest of wp-config.php tidy

Salts are one layer. While you are in the file, it is worth setting the right database constants, disabling the file editor, and getting the table prefix right.

Related tools

• Build a complete, secure wp-config.php with the wp-config Generator.
• Need strong passwords for admin accounts? Use the Password Generator.
• Hardening .htaccess too? Try the .htaccess Builder.

Fresh salts take ten seconds to generate and add a real layer of protection. Generate a set, paste them into wp-config.php, and sign back in.