WordPress Secret Key Generator
Generate cryptographically secure WordPress security keys and salts for your wp-config.php file. One-click copy, key strength analysis, and step-by-step installation guide.
Your ad blocker is preventing us from showing ads
MiniWebtool is free because of ads. If this tool helped you, please support us by going Premium (ad‑free + faster tools), or allowlist MiniWebtool.com and reload.
- Allow ads for MiniWebtool.com, then reload
- Or upgrade to Premium (ad‑free)
About WordPress Secret Key Generator
The WordPress Secret Key Generator creates cryptographically secure security keys and salts for your wp-config.php file. These 8 unique strings protect user sessions, prevent cookie forgery, and defend against CSRF attacks. Generated using a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator), each key is never stored or logged.
What Are WordPress Security Keys and Salts?
WordPress uses 8 cryptographic constants in your wp-config.php file to secure authentication. Four are keys (primary encryption secrets) and four are salts (additional randomness that strengthens the hash):
How Keys and Salts Work Together
When a user logs in to WordPress, the system creates an authentication cookie. This cookie is encrypted using a combination of the security key and its corresponding salt. The key provides the primary encryption secret, while the salt adds unpredictable data into the hashing algorithm (HMAC), making it exponentially harder for an attacker to reverse-engineer the cookie value even if they intercept it.
Without proper keys and salts, WordPress uses fallback values that are weaker and identical across installations, making your site vulnerable to cookie-based attacks.
How to Install Your Security Keys
- Generate keys using this tool with your preferred settings.
- Copy all keys using the "Copy All Keys" button.
- Open
wp-config.phpvia FTP/SFTP. This file is located in your WordPress root directory. - Find the keys section — look for the comment
/* Authentication Unique Keys and Salts */. - Replace all 8
define()lines with your newly generated keys, then save and upload.
Note: Changing security keys will log out all currently logged-in users. They will need to log in again with their password. This is expected behavior and is actually useful for security purposes.
When Should You Change Your Security Keys?
| Scenario | Action |
|---|---|
| New WordPress installation | Generate and add keys immediately |
| Suspected hack or breach | Regenerate all keys immediately |
| Unknown admin accounts found | Regenerate keys + change passwords |
| After removing malware | Regenerate keys as part of cleanup |
| Routine operation (no issues) | No need to change regularly |
| Migrating to a new host | Consider generating fresh keys |
Key Length and Entropy
Entropy measures the randomness (unpredictability) of your keys in bits. Higher entropy means more possible combinations an attacker would need to try. For context:
- 128 bits — Minimum recommended for most cryptographic applications
- 256 bits — Considered unbreakable with current technology (AES-256 level)
- 400+ bits — The default 64-character WordPress key with full charset provides approximately 406 bits of entropy
Even the standard 64-character key with the full character set far exceeds what any brute-force attack could crack.
Security Best Practices
- Never share your keys — treat them like passwords
- Use unique keys for each WordPress installation
- Do not reuse keys across multiple sites
- Keep
wp-config.phpsecure — ensure proper file permissions (typically 440 or 400) - Keys alone are not enough — also use strong passwords, keep WordPress updated, and use a security plugin
Frequently Asked Questions
What are WordPress security keys and salts?
WordPress security keys and salts are cryptographic strings stored in wp-config.php that encrypt data in user cookies. There are 4 keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY) and 4 corresponding salts. Together, they make it virtually impossible for attackers to forge authentication cookies.
How do I add security keys to wp-config.php?
Open your wp-config.php file (in the WordPress root directory), find the section labeled "Authentication Unique Keys and Salts", and replace the existing define() lines with your newly generated keys. Save the file and re-upload it via FTP/SFTP. All users will need to log in again.
When should I change my WordPress security keys?
Change your security keys immediately if you suspect your site was hacked, if you find unknown admin accounts, or after removing malware. You do not need to rotate keys on a regular schedule under normal circumstances. Changing keys will force all logged-in users to re-authenticate.
Is this generator secure? Are keys stored anywhere?
Yes, this generator uses Python's cryptographically secure secrets module (CSPRNG). Keys are generated server-side on each request and are never stored, logged, or cached. The response includes a no-cache header to prevent browser caching.
What is the difference between WordPress keys and salts?
WordPress keys encrypt cookie data, while salts add extra randomness to the encryption process. Keys act as the primary encryption secret, and salts make brute-force attacks exponentially harder by introducing additional unpredictable data into the hash function. Both are essential for strong WordPress security.
What happens if I change my WordPress security keys?
Changing your WordPress security keys will invalidate all existing authentication cookies. This means every logged-in user (including you) will be logged out and need to log in again with their username and password. This is actually a security feature, useful after a breach.
Additional Resources
Reference this content, page, or tool as:
"WordPress Secret Key Generator" at https://MiniWebtool.com/wordpress-secret-key-generator/ from MiniWebtool, https://MiniWebtool.com/
by miniwebtool team. Updated: Feb 13, 2026