Use the free generator below to create a fresh set of WordPress security keys and salts, then drop them into your wp-config.php file. Everything is generated right in your browser with the Web Crypto API and is never sent to our servers, so your keys stay private.
- WordPress uses eight secret keys and salts in wp-config.php to secure login cookies and nonces.
- Generate a fresh set with the tool above, then replace the matching eight lines in your wp-config.php file.
- Changing them logs every user out, which is exactly what you want after a breach or to force a global sign-out.
- Our generator builds the keys in your browser with the Web Crypto API, so they are never sent anywhere.
- There is no need to rotate keys on a schedule. Change them when it actually matters.
What are WordPress salts and security keys?
WordPress uses eight long, random strings to secure the cookies and nonces that keep people logged in. Four are “keys” and four are “salts,” and together they make the authentication data stored in browser cookies far harder to crack.
They live in your wp-config.php file and are normally set once when WordPress is installed. You never type them in or memorize them. They work quietly in the background, and you only touch them again if you want to force everyone to log back in or you suspect your site has been compromised.
The eight keys and salts
A complete set has these eight constants. You do not need to understand each one to use them, but here is what they cover:
AUTH_KEYandAUTH_SALTsecure the standard login cookie.SECURE_AUTH_KEYandSECURE_AUTH_SALTdo the same for logins served over HTTPS.LOGGED_IN_KEYandLOGGED_IN_SALTsecure the cookie that marks a user as logged in.NONCE_KEYandNONCE_SALTprotect the nonces WordPress uses to guard forms and links against misuse.
Where do the salts go in wp-config.php?
Open your wp-config.php file, in the root of your WordPress install, and find the block labeled “Authentication Unique Keys and Salts.” It holds eight define() lines, sometimes filled with placeholder text on a fresh install. Replace that whole block with the eight lines from the generator above, then save. For a full tour of this file, see our guide to wp-config.php.
How to change your WordPress salts
- Generate a new set with the tool above and copy all eight lines.
- Back up your current
wp-config.phpso you can revert if anything goes wrong. - Edit
wp-config.phpover SFTP or your host’s file manager. - Replace the existing eight key and salt lines with the new ones, then save the file.
The moment you save, every existing login session becomes invalid and everyone, including you, is logged out and has to sign in again. That is expected, and it is exactly why changing your salts is useful.
When should you regenerate your keys?
- After a security incident, or any time you think a password or session may have leaked. New salts instantly invalidate any stolen cookies.
- When you want to force every user to log out at once, for example after removing a staff account.
- After buying or inheriting a site, so any old sessions from the previous owner stop working.
- If your install shipped with blank or placeholder keys, set real ones right away.
There is no need to rotate them on a fixed schedule. Strong, unique keys that you change when it matters are enough. If you also want to harden how people sign in, look at application passwords and passkeys.
Are these generated keys safe to use?
Yes. The generator runs entirely in your browser and uses the Web Crypto API, the same cryptographically secure randomness browsers rely on for other security features. The keys are never transmitted to SmartWP or anyone else, and every set is unique.
If you want extra peace of mind, refresh the page or press Regenerate to get a brand new set right before you copy them.
Frequently asked questions
Will changing my salts break my site?
No. It only logs users out. Your content, settings, and plugins are untouched. The one real risk is a typo in wp-config.php, so back the file up first and replace the whole block cleanly.
Do the keys and salts need to be exactly 64 characters?
They do not have to be an exact length, but they should be long and random. This generator matches WordPress’s own format with 64-character strings, which is plenty strong.
Is this the same as the official WordPress generator?
It produces the same kind of output as the api.wordpress.org generator, in the same define() format. The difference is that ours creates the keys in your browser instead of on a remote server, so the values never travel across the network.
How often should I change them?
Only when you have a reason to, such as a suspected breach or to force a global logout. Routine rotation on a timer is not necessary for most sites.
