WordPress Salt & Secret Key Generator
Generate a fresh, cryptographically secure set of WordPress secret keys and salts in PHP, .env, YAML, or JSON — free, and generated entirely in your browser.
Generating…🔒 Generated locally in your browser with crypto.getRandomValues — the keys never reach a server. Reload or hit Regenerate for a fresh set.
What are WordPress salts?
WordPress uses eight secret keys and salts — AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, and their matching *_SALT values — to hash and encrypt the cookies and nonces it issues. Strong, unique values make stored authentication data far harder to forge or crack. They live in your site’s wp-config.php (or, for Bedrock-style setups, in your .env).
How to use them
- Pick your format above — PHP for a classic
wp-config.php, .env for Bedrock, or YAML/JSON for other tooling. - Copy the block and replace the matching lines in your config.
- Save and deploy. Existing users are simply logged out (their old cookies no longer validate) — no data is lost.
When should I rotate them?
Rotate your salts whenever you suspect a credential or backup leak, after offboarding anyone who had server access, or as routine hygiene. Rotating invalidates every active session and forces a fresh login everywhere — a fast, free way to lock out anyone riding a stolen cookie.
Is this safe?
Yes. The keys are generated locally in your browser with the platform CSPRNG (crypto.getRandomValues) — they are never sent to or logged by any server. Each is 64 characters drawn from WordPress’s own secret-key character set.
Use it from the command line or CI
Need salts in a script or pipeline? Our public API returns the same thing, ready to paste:
https://api.wordimatic.com/salts.php—define(...)block forwp-config.phphttps://api.wordimatic.com/salts.env—KEY='value'block for.envhttps://api.wordimatic.com/salts.yaml— YAMLhttps://api.wordimatic.com/salts— raw JSON
Every request returns a fresh set and is served Cache-Control: no-store.