RevealTheme logo

WordPress Salt Generator

Generate the eight WordPress authentication keys and salts for wp-config.php. Everything is produced locally in your browser using crypto.getRandomValues(), so the secret values never leave your machine.

define('AUTH_KEY', '?V[CBV_y{Dg+{B[VMB6S9jT,fYJ.P&Sh{28LanE!z0_WZMMtr#$+DS.%53[}kFXw');
define('SECURE_AUTH_KEY', 'Qn&nUI7BTf-_<8VdRefk%VFi17}4Q).pHXjDAwJZUm(JH2s4VC>wBSmkbk2JsF[^');
define('LOGGED_IN_KEY', 'vBpX@3c?*eu?AfPYDSZ}=)8X&=e-l](+e=<xdD3wH9%aIzfN&^n.KZfoXHFP.2?-');
define('NONCE_KEY', '$4*s7+85zG6zRB{Dz}oq_$YF$R<,{&)83b_J_YNvrnBYoTKp$>s)-}OnRTMoVN@8');
define('AUTH_SALT', 'cUObi.H3fTd@Y-RMo5EP7UP-Iu]H#i?sqR9z!B=CnF19W=M5M8339*p6ut?byw##');
define('SECURE_AUTH_SALT', '{69Stu+YBdn1WnMc*ahM1#4rm%KYH.(}[oBaeLSY$?8C<OS*r!FUpOB4UvgcB6ET');
define('LOGGED_IN_SALT', 'lcb]4TG6dbZa0Ln-VtMp8lsy%Kk$Y]@0jv}u[oBY21C}H]Lv<5?bR!7qTiKV$)u)');
define('NONCE_SALT', '=(<Jxt5MQ]!E5t!4fm[k+?15!6R10@Gn9xgG@OSU]?X6?Ro6%o=T1#KQE%FrgS6k');

How to use this tool

  1. 1

    A full set of eight define() lines is already generated when the page loads.

  2. 2

    Click Regenerate any time you want a completely fresh set of values.

  3. 3

    Click Copy all to put the whole block on your clipboard.

  4. 4

    Paste it over the existing keys-and-salts section in your wp-config.php and save.

What are WordPress keys and salts, and what do they actually protect?

WordPress reads eight constants from wp-config.php: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, plus the matching AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT and NONCE_SALT. They feed the HMAC functions (wp_hash and hash_hmac) that sign your authentication cookies and your nonces. A common misconception is that these values encrypt cookies or salt stored user passwords. Neither is true: WordPress does not encrypt the cookie, it signs it so the server can detect tampering, and stored passwords are hashed separately by phpass with their own per-user salt baked into each hash. So rotating these constants invalidates every active login session and outstanding nonce, but it never touches or resets anyone's password. Each value is meant to be a long, unpredictable string; WordPress accepts any characters you put here. This tool builds each constant from 64 characters drawn with your browser's cryptographically secure random generator, then formats them as ready-to-paste define() lines. Because generation happens entirely client-side, the secret material is never transmitted to any server, including api.wordpress.org's official secret-key endpoint.

Common use cases

  • Setting up a brand-new WordPress install and replacing the placeholder 'put your unique phrase here' lines in wp-config.php.

  • Rotating keys after a suspected compromise to force-log-out every session and invalidate stolen auth cookies.

  • Off-boarding an admin or contractor and wanting to kill any sessions they may still hold.

  • Periodic security hygiene on a production site, swapping in fresh salts every several months.

  • Generating salts on an air-gapped or restricted machine where you would rather not call an external endpoint.

  • Cloning a site to staging and giving the copy its own distinct keys so the two environments do not share cookie signatures.

Frequently asked questions

Is anything sent to a server?
No. The values are created in your browser with crypto.getRandomValues() and rendered on the page. Nothing is uploaded, and unlike the official api.wordpress.org/secret-key endpoint, no network request is made to fetch them.
Will regenerating salts log everyone out?
Yes. Changing these constants invalidates the HMAC signature on existing auth cookies, so all logged-in users (including you) are signed out and must log in again. Pending nonces also become invalid.
Does changing salts reset user passwords?
No. Stored passwords are hashed independently by WordPress with their own salts. These constants only secure authentication cookies and nonces, so passwords are untouched and users log back in with the same credentials.
Are these the same as the official WordPress generator?
They serve the same purpose and WordPress accepts them identically, but the character set differs. This tool uses 64 characters from a fixed alphabet that omits some punctuation (such as quotes, backslash, semicolon and backtick); the official endpoint draws from a slightly wider set. The difference does not affect security in any practical way.
How long are the generated values?
Each of the eight constants is 64 characters long, giving plenty of entropy for cookie and nonce signing.
How do I install them?
Open wp-config.php, find the block of eight define() lines for AUTH_KEY through NONCE_SALT, delete those lines, and paste the copied block in their place. Save the file; the change takes effect on the next request.
How often should I rotate them?
There is no hard rule. Rotate immediately after any compromise or when removing privileged users, and otherwise consider a refresh every 6 to 12 months as routine hygiene, accepting that each rotation logs everyone out.

Related tools