PluginLib

WordPress Salt Keys Generator

Instantly generate highly secure, cryptographically random Authentication Unique Keys and Salts for your wp-config.php file to lock down user sessions.

Security Warning: Changing the salt keys on a live WordPress website will immediately invalidate all existing cookies. All users (including you) will be instantly logged out and will need to log in again. This is the desired behavior if you suspect your site was hacked.

Generator Options

wp-config.php Ready Code 


                

            


            

                
How to add this to your WordPress site?

                
    
                    
  1. Copy the generated code block using the button above.
    2. 
                    
  2. Connect to your website via FTP or File Manager.
    3. 
                    
  3. Open the wp-config.php file located in your root directory.
    4. 
                    
  4. Find the section that says Authentication Unique Keys and Salts.
    5. 
                    
  5. Delete the old 8 define(...) lines and paste your new ones.
    6. 
                    
  6. Save the file. You will be asked to log in again.
    7. 
                

            

        


    


    
    

        
The Ultimate WordPress Salt Keys Generator

        
Keeping a WordPress website secure requires constant vigilance. One of the most overlooked, yet incredibly powerful security mechanisms built directly into the WordPress core is the Authentication Unique Keys and Salts framework. Our free, client-side WP Salt Generator allows you to instantly create cryptographically secure, high-entropy keys to lock down your site's sessions.


        
What are WordPress Security Keys (Salts)?

        
When you log into the WordPress dashboard, the system does not store your password in a browser cookie. Instead, it creates a highly encrypted session token. This token ensures you stay logged in as you navigate between pages.

        
To encrypt this cookie, WordPress relies on eight specific constants defined in your wp-config.php file:

        
        
A "Salt" is essentially random data added to a hashing process. By appending a 64-character string of random letters, numbers, and symbols to your passwords and cookies, it becomes mathematically impossible for hackers to reverse-engineer the session tokens using pre-computed dictionary attacks or Rainbow Tables.


        
Why Should You Change Your WordPress Salts?

        
By default, WordPress generates a set of salt keys when you first install the CMS. However, there are critical moments in a website's lifecycle where replacing these keys is absolutely necessary:

        
        
1. Suspected Hacking or Malware Infection

        
If your website has been compromised, the attacker may have stolen active session cookies, allowing them to remain logged in even after you clean the database. Changing your salt keys immediately invalidates all existing cookies across the entire internet. It forcibly logs out every single user, admin, and potential hacker instantly.


        
2. Employee or Administrator Turnover

        
Did a web developer, contractor, or staff member with admin access recently leave your company? Even if you change their password, if they checked the "Remember Me" box, their session might still be active. Replacing the salts guarantees their access is permanently severed.


        
3. Moving from Staging to Production

        
If you built your website on a staging server or downloaded a pre-configured boilerplate, your salt keys might be publicly known or duplicated across multiple sites. Generating fresh keys during migration is a mandatory security best practice.


        
Why Use Our CSPRNG Salt Generator?

        
Not all random number generators are created equal. Basic functions like PHP's rand() or standard JavaScript Math.random() are predictable and not secure for cryptography. Our tool utilizes the browser's native Cryptographically Secure Pseudorandom Number Generator (CSPRNG) via the window.crypto.getRandomValues() API. This ensures maximum entropy.

        
Furthermore, because the generation happens entirely client-side in your browser, the generated keys are never sent to our servers, logged in a database, or exposed to the network. You are getting pure, private security keys.


        
Syntax Safety for PHP

        
A common issue with randomly generated strings is that they might include a single quote ' or a backslash \. If pasted blindly into wp-config.php, these characters can prematurely close a PHP string, causing a fatal syntax error and a White Screen of Death (WSOD). Our algorithm actively filters out these specific syntax-breaking characters while retaining a massive pool of safe special characters (like !@#$%^&*) to ensure your website never crashes after a security update.