Zero Signup ToolsFree browser tools

Security Tools

WordPress Salt Generator

Generate the eight WordPress secret keys and salts for wp-config.php locally in your browser. No upload, no server, no signup.

64

WordPress ships the official endpoint with 64 characters per key. Range: 32 to 128.

Output format
Quote style

Generated wp-config block

define('AUTH_KEY        ', 'G0Fo;#HYp|0T#f]!O)rNsrj:jI>D4a=+4Q&y7q2HR5,lA&jP)|G&G}oZTO^YZ7n_');
define('SECURE_AUTH_KEY ', 'pM0Doklrh.GGv_+^_z72-@f]Qkx1u@2OrG-<st^8vW&TuPkyEnu+6;7j7y7B!ej4');
define('LOGGED_IN_KEY   ', '-oHkyTxXzjuXJv61{Y?#nE48+woh}e%%mq<5shAjx}$EsJ0UVFy@t^Npy5L;lc.0');
define('NONCE_KEY       ', '8rnE^BS`@i?y/:y+h3QMu1bb[hp*JUcp}Z2@uR6BN[.UM9@OdDg&>CqR&{RAsK3g');
define('AUTH_SALT       ', '+,thYG5e%.GQLHFGU8a2R{iy@9#ObwuoD>je#vDWPO?=(HOKmn!<)K[)f1k5/}3F');
define('SECURE_AUTH_SALT', '9`w^%**nor1]}9s:JwDD:}nh^Jg?|p(T.EwgZ4RBePt4@uA``L9F/ny/mzKBeK91');
define('LOGGED_IN_SALT  ', '#z|6@.4@qw3y!M8HJpaVCxvDsRYw+D+ieGn9+R:5q*-2ov:_l;XPx6#yC.+19wf/');
define('NONCE_SALT      ', 'ET/?AU4RSkrWj(zvD#{}>zu=!4hEN*QuK8c1^c5KpSpKBCNLUxV:KO(!{&Mlx_lG');

Paste this block into wp-config.php, replacing the existing eight constants. Reloading the site logs every user out, including you, because the cookies signed with the old keys are no longer valid.

Keys

  • AUTH_KEY

    G0Fo;#HYp|0T#f]!O)rNsrj:jI>D4a=+4Q&y7q2HR5,lA&jP)|G&G}oZTO^YZ7n_

  • SECURE_AUTH_KEY

    pM0Doklrh.GGv_+^_z72-@f]Qkx1u@2OrG-<st^8vW&TuPkyEnu+6;7j7y7B!ej4

  • LOGGED_IN_KEY

    -oHkyTxXzjuXJv61{Y?#nE48+woh}e%%mq<5shAjx}$EsJ0UVFy@t^Npy5L;lc.0

  • NONCE_KEY

    8rnE^BS`@i?y/:y+h3QMu1bb[hp*JUcp}Z2@uR6BN[.UM9@OdDg&>CqR&{RAsK3g

  • AUTH_SALT

    +,thYG5e%.GQLHFGU8a2R{iy@9#ObwuoD>je#vDWPO?=(HOKmn!<)K[)f1k5/}3F

  • SECURE_AUTH_SALT

    9`w^%**nor1]}9s:JwDD:}nh^Jg?|p(T.EwgZ4RBePt4@uA``L9F/ny/mzKBeK91

  • LOGGED_IN_SALT

    #z|6@.4@qw3y!M8HJpaVCxvDsRYw+D+ieGn9+R:5q*-2ov:_l;XPx6#yC.+19wf/

  • NONCE_SALT

    ET/?AU4RSkrWj(zvD#{}>zu=!4hEN*QuK8c1^c5KpSpKBCNLUxV:KO(!{&Mlx_lG

Keys generated

8

Characters per key

64

Entropy per key

416 bits

How WordPress uses these keys

The four keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY) and four salts (AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT) are combined with each user's password hash to sign the cookies WordPress uses for login sessions and nonces.

Rotating these values invalidates every existing cookie. That is the standard remediation after a compromise, when removing a stale admin account, or when handing a site off to a new owner. Users (including you) will be logged out and asked to sign in again.

How to use

  1. Open the page. A full set of eight WordPress keys and salts is generated automatically using the browser's crypto API.
  2. Adjust the key length if you need something other than the WordPress default of 64 characters. Most installs should leave it alone.
  3. Pick define() or const, and single or double quotes, to match your wp-config.php style.
  4. Use Copy block to grab the full eight-line block, or use the per-key Copy button to replace a single constant.
  5. Click Reroll next to a single constant if you only want to rotate one key without touching the others.
  6. Paste the block into wp-config.php, replacing the existing eight constants. Reload the site and sign back in.

About this tool

WordPress Salt Generator builds the eight constants that wp-config.php needs to sign WordPress's session cookies and nonces: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT. WordPress's own canonical endpoint at api.wordpress.org/secret-key/1.1/salt/ returns 64 random printable ASCII characters per constant; this page produces the same shape using crypto.getRandomValues, the browser's standard CSPRNG, so the keys are generated on your device and never travel over the network. The character set is the printable ASCII range minus the single quote, double quote, and backslash, which means the output drops straight into either single-quoted or double-quoted PHP strings without any escaping. Key length is adjustable between 32 and 128 characters in case your config tooling has its own ceiling; the 64-character default matches the upstream WordPress endpoint. A letters-and-digits-only mode is available for environments that strip symbols. The output block can be emitted with define() or const declarations, with single or double quotes, and with constant names padded so the values line up vertically when you paste them into the file. Each key has its own Reroll button so you can replace a single constant without regenerating the rest, and the full block can be copied or downloaded as a plain text file in one click. Rotating WordPress salts is the standard remediation after a suspected compromise, when removing a stale administrator account, when shipping a site to a new owner, or as part of a routine security cadence: replacing the constants invalidates every existing login cookie and nonce, so anyone holding a stolen session is forced back to the login screen, including you. Useful for WordPress site owners, agency engineers handing over client sites, managed-host operators running periodic rotations, security auditors who want a salt source they actually control, and developers who would rather not paste their wp-config keys through a third party. Everything runs locally in your browser. The generated keys are not uploaded, logged, or shared.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Security

Password Generator

Strong random passwords with length and character controls.

Open tool

Security

Passphrase Generator

Random-word passphrases with live entropy and crack-time estimates.

Open tool

Security

htpasswd Generator

Create htpasswd entries for Apache and Nginx basic auth, APR1-MD5 or SHA-1.

Open tool

Generator

Random String Generator

Random strings with hex, base32, base58, base62, base64 URL-safe, or a custom alphabet.

Open tool

All toolsSecurity Tools