WordPress Salt Generator
Generate fresh, cryptographically secure WordPress authentication keys and salts for your wp-config.php. Created locally in your browser, never fetched from a remote API.
crypto.getRandomValues(). Unlike the official wordpress.org salt API, nothing is requested over the network. Paste them into wp-config.php, replacing the placeholder lines. Regenerating logs out all active sessions.About the WordPress Salt Generator
The WordPress Salt Generator instantly creates the eight secret keys and salts WordPress uses to encrypt session cookies and secure your login, delivered as ready-to-paste define() lines for wp-config.php. It's built for WordPress developers, site admins, and freelancers who need to harden a new install or rotate compromised credentials. Because every value is generated locally in your browser, the secrets never travel across the network before they reach your site.
How it works
- Open the tool and it immediately generates all eight keys and salts (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT) as complete define() statements.
- Click Regenerate at any time to produce a fresh set of random values, or use Copy All to grab the entire block of define() lines at once.
- Open your site's wp-config.php, find the existing block of authentication keys and salts, replace it with the copied lines, and save the file.
Features
- Generates all eight WordPress secret keys and salts in the exact define() format wp-config.php expects.
- Each salt is 64 cryptographically random characters produced with the browser's crypto.getRandomValues API.
- Runs entirely client-side, so unlike the official api.wordpress.org/secret-key service no values are generated or sent on a remote server.
- One-click Regenerate and Copy All buttons for fast, error-free setup.
- Completely free with no signup, account, or tracking required.
Frequently asked questions
What are WordPress salts and secret keys?
They are long random strings that WordPress uses to encrypt the information stored in your login cookies. Strong, unique keys make it far harder for an attacker to forge a session and impersonate a logged-in user, so they are a core part of securing any WordPress site.
Where do I put these in wp-config.php?
Open wp-config.php in your site's root directory and locate the existing block of eight define() lines labelled 'Authentication Unique Keys and Salts'. Delete those lines and paste the generated block in their place, then save the file.
What happens when I change the salts?
Changing the keys or salts invalidates all existing login cookies, which immediately logs out every user on the site (including you). Everyone simply has to log in again, and no posts, settings, or other data are affected.
How often should I rotate my salts?
There is no fixed schedule, but it's good practice to rotate them whenever you suspect a compromise, after removing a user or developer who had access, or periodically as part of routine maintenance. Because rotating only forces re-logins, it is a safe, low-risk action.
Is this safer than the WordPress.org generator?
The official api.wordpress.org/secret-key endpoint generates your keys on WordPress's servers and sends them back to your browser. This tool generates everything locally using the browser's cryptographic random number generator, so the secret values are never produced or transmitted by a remote server before you use them.