WordPress Salt Generator
Generate the eight WordPress authentication keys and salts for wp-config.php. Everything is produced locally in your browser using crypto.getRandomValues(), so the secret values never leave your machine.
define('AUTH_KEY', '?V[CBV_y{Dg+{B[VMB6S9jT,fYJ.P&Sh{28LanE!z0_WZMMtr#$+DS.%53[}kFXw');
define('SECURE_AUTH_KEY', 'Qn&nUI7BTf-_<8VdRefk%VFi17}4Q).pHXjDAwJZUm(JH2s4VC>wBSmkbk2JsF[^');
define('LOGGED_IN_KEY', 'vBpX@3c?*eu?AfPYDSZ}=)8X&=e-l](+e=<xdD3wH9%aIzfN&^n.KZfoXHFP.2?-');
define('NONCE_KEY', '$4*s7+85zG6zRB{Dz}oq_$YF$R<,{&)83b_J_YNvrnBYoTKp$>s)-}OnRTMoVN@8');
define('AUTH_SALT', 'cUObi.H3fTd@Y-RMo5EP7UP-Iu]H#i?sqR9z!B=CnF19W=M5M8339*p6ut?byw##');
define('SECURE_AUTH_SALT', '{69Stu+YBdn1WnMc*ahM1#4rm%KYH.(}[oBaeLSY$?8C<OS*r!FUpOB4UvgcB6ET');
define('LOGGED_IN_SALT', 'lcb]4TG6dbZa0Ln-VtMp8lsy%Kk$Y]@0jv}u[oBY21C}H]Lv<5?bR!7qTiKV$)u)');
define('NONCE_SALT', '=(<Jxt5MQ]!E5t!4fm[k+?15!6R10@Gn9xgG@OSU]?X6?Ro6%o=T1#KQE%FrgS6k');How to use this tool
- 1
A full set of eight define() lines is already generated when the page loads.
- 2
Click Regenerate any time you want a completely fresh set of values.
- 3
Click Copy all to put the whole block on your clipboard.
- 4
Paste it over the existing keys-and-salts section in your wp-config.php and save.
What are WordPress keys and salts, and what do they actually protect?
WordPress reads eight constants from wp-config.php: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, plus the matching AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT and NONCE_SALT. They feed the HMAC functions (wp_hash and hash_hmac) that sign your authentication cookies and your nonces. A common misconception is that these values encrypt cookies or salt stored user passwords. Neither is true: WordPress does not encrypt the cookie, it signs it so the server can detect tampering, and stored passwords are hashed separately by phpass with their own per-user salt baked into each hash. So rotating these constants invalidates every active login session and outstanding nonce, but it never touches or resets anyone's password. Each value is meant to be a long, unpredictable string; WordPress accepts any characters you put here. This tool builds each constant from 64 characters drawn with your browser's cryptographically secure random generator, then formats them as ready-to-paste define() lines. Because generation happens entirely client-side, the secret material is never transmitted to any server, including api.wordpress.org's official secret-key endpoint.
Common use cases
Setting up a brand-new WordPress install and replacing the placeholder 'put your unique phrase here' lines in wp-config.php.
Rotating keys after a suspected compromise to force-log-out every session and invalidate stolen auth cookies.
Off-boarding an admin or contractor and wanting to kill any sessions they may still hold.
Periodic security hygiene on a production site, swapping in fresh salts every several months.
Generating salts on an air-gapped or restricted machine where you would rather not call an external endpoint.
Cloning a site to staging and giving the copy its own distinct keys so the two environments do not share cookie signatures.
Frequently asked questions
Is anything sent to a server?▼
Will regenerating salts log everyone out?▼
Does changing salts reset user passwords?▼
Are these the same as the official WordPress generator?▼
How long are the generated values?▼
How do I install them?▼
How often should I rotate them?▼
Related tools
Bcrypt Hash Generator
Generate bcrypt password hashes (client-side).
HMAC Generator
Generate HMAC signatures with SHA-256, SHA-1, MD5.
AES Encryption
Encrypt and decrypt text with AES-256 in your browser.
2FA QR Code Generator
Generate TOTP/2FA QR codes for authenticator apps.
Password Strength Tester
Test password strength against entropy and dictionaries.
Caesar Cipher Encoder
Encode and decode Caesar cipher with custom shifts.