Security Key Generator

Generate all 8 WordPress authentication keys and salts using the Web Crypto API. Copy the output and paste it into your wp-config.php file.

Generated Keys

Generating keys...

What Are WordPress Security Keys?

WordPress uses eight security keys (also called authentication keys and salts) to encrypt information stored in user cookies. Each key is a unique string of random characters defined in your wp-config.php file.

The eight keys are:

  • AUTH_KEY — Used to sign the authentication cookie for non-SSL requests.
  • SECURE_AUTH_KEY — Used to sign the authentication cookie for SSL requests.
  • LOGGED_IN_KEY — Used to sign the logged-in cookie.
  • NONCE_KEY — Used to sign the nonce for protection against CSRF attacks.
  • AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT — Secondary salts that add an additional layer of randomness.

Where to Paste These Keys

  1. Open your WordPress installation's wp-config.php file.
  2. Find the section with the comment "Authentication unique keys and salts".
  3. Replace the existing define() lines with the output from this tool.
  4. Save the file and upload it to your server.

When to Rotate Your Keys

  • After a security breach or suspected unauthorized access.
  • When removing administrator accounts from your site.
  • Periodically as part of a security maintenance routine.
  • After changing your site's hosting provider.

Rotating keys forces all logged-in users to re-authenticate, which is a useful security measure after any incident.

How This Tool Works

This generator uses the crypto.getRandomValues() method provided by the Web Crypto API, which produces cryptographically strong random values. No data is sent to any server — all generation happens entirely within your browser.