Easily Generate Security Keys With WordPress Salt Generator

Locked Vault

I was migrating some WordPress websites this weekend on to our new Website Hosting platform at Rogue Security. Normally I wouldn’t do a lot of it manually, but was having an issue with one of the websites and realized it would be easier to install a fresh copy of WordPress. Well, while configuring the wp-config.php I was at the Authentication Keys block, and hidden in the comments of that block is a link to the WordPress Salt Generator.

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org sec$
 * You can change these at any point in time to invalidate all existing cookies. This will force all users $
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         '<random-characters>' );
define( 'SECURE_AUTH_KEY',  '<random-characters>' );
define( 'LOGGED_IN_KEY',    '<random-characters>' );
define( 'NONCE_KEY',        '<random-characters>' );
define( 'AUTH_SALT',        '<random-characters>' );
define( 'SECURE_AUTH_SALT', '<random-characters>' );
define( 'LOGGED_IN_SALT',   '<random-characters>' );
define( 'NONCE_SALT',       '<random-characters>' );

What is a Salt?

Great question! a salt is random data/characters that is used as additional input for one-way hashing algorithms. Yeah, that was a lot so here is an example. When you create a new account on Facebook you must enter a username and password. After submitting that information, Facebook store the username in the database as it’s written in plain-text that is human-readable. However, Facebook takes the password that you entered and adds a salt to it, encrypts it using a hashing algorithm such as MD5 of SHA256 and then they store it in the database. It doesn’t matter how or where the salt is placed in the password.

A hashing algorithm will produce the same output given the same input. In other words, every time I use the SHA256 algorithm with my name as the input, it’s going to produce the exact same output. My Python script below shows that.

46df21c3bf897655ba14e556391adf6a78fc3c5cc681d883be97de47456488ed

No matter how many times I run this script with my name as the test_string it will never generate a different string, unless I change the hashing algorithm, of course.

The salt doesn’t change your password, it changes how your password is stored. Remember how my name will generate the same hash every time I check it? Well so will your password. If a malicious actor knows the hash of your password, it can still be just as useful as the actual password, more so if it hasn’t been salted prior to encryption.

WordPress Salt Generator

The WordPress Salt Generator is a simple page for generating a complete set of secret keys for your WordPress installation. If you’re using it for WordPress security purposes then you simply load up the page linked to above, and copy the generated keys into your wp-config.php file. These keys are also automatically generated during a standard installation so you only really need to do this if you are doing a manual install. If you don’t fill them out, they will be automatically generated for you during the first run.

Other Uses

So, how else might they be useful?

The page generates 8, 64-bit strings that are pseudo-random. You could easily connect to this page with a little Python, parse the data and have a quick subset of secret keys that can be used for just about anything. Need some quick licenses created? Pull up the page, copy a key. You have yourself randomly generated license keys (just make sure you check for duplicates).

Do you like complex passwords? I do. Some of my passwords are actually 64 random characters so this is perfect for that.