All tools
WordPress tools

WordPress Salts Generator

Generate fresh cryptographic security keys and salts directly from the official WordPress.org API — ready to copy and paste into your wp-config.php.

AUTH_KEY SECURE_AUTH_KEY LOGGED_IN_KEY NONCE_KEY AUTH_SALT One-click copy
Get started free Sign in

Free · No credit card · 50 credits/day

The eight security constants

Constant Type Used for
AUTH_KEY Key Hashing non-SSL (HTTP) authentication cookies
SECURE_AUTH_KEY Key Hashing SSL (HTTPS) authentication cookies
LOGGED_IN_KEY Key Hashing "logged in" cookies that confirm user is signed in
NONCE_KEY Key Hashing nonce values used in forms and action URLs
AUTH_SALT Salt Additional entropy added to AUTH_KEY hashing
SECURE_AUTH_SALT Salt Additional entropy added to SECURE_AUTH_KEY hashing
LOGGED_IN_SALT Salt Additional entropy added to LOGGED_IN_KEY hashing
NONCE_SALT Salt Additional entropy added to NONCE_KEY hashing

Frequently asked questions

What are WordPress security keys and salts?

Random strings in wp-config.php that WordPress uses to hash and encrypt cookies, authentication tokens and session data. Eight constants: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT. They make cookies cryptographically unique to your installation — cookies from another WordPress site won't work on yours.

When should I regenerate WordPress security keys?

Regenerate immediately after: (1) A hack or suspected compromise — logs out all active sessions including any attacker with persistent access; (2) Revoking access from a user or developer; (3) Moving from HTTP to HTTPS; (4) Fresh installation (default keys in wp-config-sample.php are publicly known); (5) Any suspected cookie interception.

What happens when I update WordPress security keys?

All existing authentication cookies and sessions are immediately invalidated. Every logged-in user (including you) will be logged out and must log in again. "Remember me" cookies are invalidated. Nonces are regenerated. This is the intended behavior — a security feature. You will need to log in again after updating the keys.

Where do I put the security keys in wp-config.php?

Replace the existing placeholder or default values in wp-config.php — typically between the database configuration and the table prefix. If adding for the first time, place just before "/* That's all, stop editing! Happy publishing. */". Replace all eight lines at once — partial replacement can cause authentication issues.

Related WordPress tools

More tools for WordPress security setup.

wp-config.php Generator

Generate a complete, hardened wp-config.php with fresh salts included.

.htaccess Generator

Add server-level hardening rules alongside your security keys.

DB Prefix Generator

Replace the default wp_ prefix — another key security hardening step.

Secure your WordPress site in seconds

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →