GLOBUS.App

WordPress Salt Generator API — Secure Authentication Keys for WordPress Developers

WordPress Salt Generator

What Are WordPress Authentication Keys and Salts?

WordPress Salt Generator theory. WordPress uses eight cryptographic constants — four keys and four salts — to secure cookies, session tokens, and nonces. Defined in wp-config.php, these constants are combined with user credentials during the hashing process that produces authentication cookies. When they are unique, long, and random, a stolen cookie from one WordPress installation is useless against any other, and a cookie from the same site becomes invalid the moment the salts are rotated. When they are left at their default empty values — as happens with many quick installations — the protection they are designed to provide effectively does not exist.

WordPress itself links to the official secret-key service at api.wordpress.org to generate these constants. The WordPress Salt Generator API by GLOBUS.studio provides the same output — eight ready-to-paste define() statements with high-entropy random values — plus an optional seed parameter for reproducible generation during testing and migration. Response latency is 1ms.

API Endpoint and Parameters

GET https://api.globus.studio/v2/salt
GET https://api.globus.studio/v2/salt?seed={string}
  • No parameters — returns eight fully random, unique authentication constants
  • seed — optional string; produces deterministic, reproducible salts from the same seed value

The response is plain PHP code — eight define() statements ready to paste directly into wp-config.php with no editing required. Full reference is on the WordPress Salt Generator API documentation page.

Request and Response Examples

Random Salts — Default

GET /v2/salt

define('AUTH_KEY',         'random_generated_string_here');
define('SECURE_AUTH_KEY',  'random_generated_string_here');
define('LOGGED_IN_KEY',    'random_generated_string_here');
define('NONCE_KEY',        'random_generated_string_here');
define('AUTH_SALT',        'random_generated_string_here');
define('SECURE_AUTH_SALT', 'random_generated_string_here');
define('LOGGED_IN_SALT',   'random_generated_string_here');
define('NONCE_SALT',       'random_generated_string_here');

Seeded Salts — Reproducible Output

GET /v2/salt?seed=myseed

define('AUTH_KEY',         'seed_based_generated_string');
define('SECURE_AUTH_KEY',  'seed_based_generated_string');
define('LOGGED_IN_KEY',    'seed_based_generated_string');
define('NONCE_KEY',        'seed_based_generated_string');
define('AUTH_SALT',        'seed_based_generated_string');
define('SECURE_AUTH_SALT', 'seed_based_generated_string');
define('LOGGED_IN_SALT',   'seed_based_generated_string');
define('NONCE_SALT',       'seed_based_generated_string');

The Eight WordPress Security Constants

Each constant serves a distinct role in WordPress’s authentication architecture:

  • AUTH_KEY / AUTH_SALT — secure standard authentication cookies for non-SSL connections
  • SECURE_AUTH_KEY / SECURE_AUTH_SALT — secure authentication cookies transmitted over HTTPS
  • LOGGED_IN_KEY / LOGGED_IN_SALT — used in the logged-in cookie that identifies authenticated sessions
  • NONCE_KEY / NONCE_SALT — used in nonce generation, protecting forms and admin actions against CSRF attacks

Changing any of these constants immediately invalidates all existing cookies and sessions for every logged-in user — a useful property when responding to a security incident, but one that requires users to log in again. Plan salt rotations accordingly in production environments.

Common Use Cases for WordPress salt generator

Fresh WordPress Installation Setup

Every new WordPress installation requires a set of unique salts in wp-config.php. The standard WordPress installer leaves placeholder text in those positions unless the installer fetches fresh values from the secret-key service automatically. A setup script or hosting control panel can call the Salt Generator API during provisioning and inject the response directly into the generated wp-config.php, ensuring every new site starts with properly randomized salts without requiring manual intervention from the site owner.

WordPress Provisioning Automation and CLI Tools

WP-CLI scripts that automate WordPress deployment — spinning up staging environments, cloning sites, or provisioning multisite networks — need to generate unique salts for each installation. A single curl call to the API during the provisioning sequence captures the output and pipes it into wp-config.php via wp config set or direct file manipulation, producing a fully configured installation in a single automated pass.

Security Incident Response — Salt Rotation

When a WordPress site is compromised — or when a privileged user account is suspected of being hijacked — rotating the authentication salts is one of the fastest ways to invalidate all active sessions and force every user, including any attacker maintaining a persistent session, to re-authenticate. The API generates a fresh set in 1ms; replacing the existing constants in wp-config.php takes seconds. This is a standard step in WordPress incident response checklists alongside password resets and plugin audits.

WordPress Plugin and Theme Development

Plugin and theme developers who maintain local development environments, Docker containers, or Vagrant boxes for testing need a reproducible wp-config.php that can be regenerated consistently. The seed parameter serves this use case precisely: a seed value tied to the project name or environment produces the same salts on every fresh setup, making the configuration file reproducible without committing actual secret values to version control. The seed is the only value that needs to be stored safely; the salts themselves are derived deterministically from it on demand.

Managed Hosting and Control Panel Integration

Hosting providers that offer one-click WordPress installation through control panels like cPanel, Plesk, or custom dashboards can integrate the WordPress Salt Generator API into their installation flow. Every customer’s WordPress install receives unique salts at the moment of creation, eliminating the risk of multiple customers sharing default or identical salt values — a real vulnerability when a hosting platform uses a static wp-config.php template without randomizing these constants per installation.

WordPress Migration and Site Cloning

When migrating a WordPress site to a new server, cloning it to a staging environment, or duplicating it for a multisite setup, the source and destination installations should never share the same salts. A migration script that calls the API without a seed parameter as its final step generates a fresh, unique salt set for the destination — ensuring the cloned site’s sessions and cookies are completely independent from the original, preventing cross-site session interference in environments where both instances are temporarily live.

Automated Security Audits and Hardening Scripts

Security audit tools and WordPress hardening scripts that scan wp-config.php for missing or weak salts can call the API to generate replacements when deficiencies are found and inject them automatically. This closes a common finding — empty or placeholder salt constants — without requiring the site owner to understand the underlying cryptography or manually visit a key generation service.

Integration Examples

cURL — Fetch and Display

curl https://api.globus.studio/v2/salt

cURL — Append Directly to wp-config.php

curl -s https://api.globus.studio/v2/salt >> wp-config.php

Bash — Automated Provisioning Script

#!/bin/bash
# Generate salts and inject into wp-config.php

SALTS=$(curl -s https://api.globus.studio/v2/salt)
WPCONFIG="wp-config.php"

# Remove any existing salt definitions
sed -i '/define.*_KEY\|define.*_SALT/d' "$WPCONFIG"

# Append fresh salts
echo "$SALTS" >> "$WPCONFIG"

echo "Salts rotated successfully."

PHP — Programmatic Injection

$salts      = file_get_contents('https://api.globus.studio/v2/salt');
$wpconfig   = file_get_contents('wp-config.php');

// Replace placeholder salt block with fresh values
$pattern    = "/define\('AUTH_KEY'.*define\('NONCE_SALT'.*?\);/s";
$wpconfig   = preg_replace($pattern, trim($salts), $wpconfig);

file_put_contents('wp-config.php', $wpconfig);
echo 'Salts updated.';

PHP — Seeded Generation for Dev Environments

$seed  = 'my-project-dev'; // store this, not the salts
$salts = file_get_contents(
    'https://api.globus.studio/v2/salt?seed=' . urlencode($seed)
);
echo $salts;

WordPress (PHP) — WP-CLI Compatible Salt Rotation

function globus_rotate_salts() {
    $response = wp_remote_get( 'https://api.globus.studio/v2/salt' );
    $salts    = wp_remote_retrieve_body( $response );

    if ( empty( $salts ) ) {
        return false;
    }

    $config_path = ABSPATH . 'wp-config.php';
    $config      = file_get_contents( $config_path );

    // Replace existing salt block
    $pattern = "/(define\s*\(\s*'AUTH_KEY'.*?define\s*\(\s*'NONCE_SALT'[^\)]+\);)/s";
    $config  = preg_replace( $pattern, trim( $salts ), $config );

    file_put_contents( $config_path, $config );
    return true;
}

// Call from a one-time admin action or WP-CLI command
if ( defined( 'WP_CLI' ) && WP_CLI ) {
    if ( globus_rotate_salts() ) {
        WP_CLI::success( 'WordPress salts rotated. All users have been logged out.' );
    }
}

Node.js — Docker Entrypoint Salt Injection

const fetch = require('node-fetch');
const fs    = require('fs');

async function injectSalts(wpconfigPath) {
  const res   = await fetch('https://api.globus.studio/v2/salt');
  const salts = await res.text();

  let config = fs.readFileSync(wpconfigPath, 'utf8');
  config     = config.replace(
    /\/\*\*#@\+\*\/[\s\S]*?\/\*\*#@-\*\//,
    salts
  );
  fs.writeFileSync(wpconfigPath, config);
  console.log('WordPress salts injected.');
}

injectSalts('/var/www/html/wp-config.php');

Seeded Generation — When and Why to Use It

The seed parameter for WordPress salt generator produces deterministic output: the same seed always returns the same set of salt constants. This is intentionally useful in specific scenarios and intentionally inappropriate in others:

  • Use seeded generation for: local development environments where a reproducible wp-config.php is needed across team members; automated test suites that require consistent configuration; infrastructure-as-code setups where salt values must be derivable from a stored secret without storing the salts themselves.
  • Do not use seeded generation for: production WordPress installations. Production sites must have salts that are unique and unpredictable. A seed value that leaks — in a git repository, a Slack message, or a config management system — allows an attacker to reproduce the salts and forge authentication cookies. For production, always use the unseeded endpoint.

Performance

At 1ms average latency, salt generation is instantaneous in any provisioning or scripting context. The response requires no parsing — it is valid PHP that can be appended to wp-config.php directly from the command line using a single pipe operation. For large-scale hosting providers generating salts for thousands of new installations per day, the API handles the load with no throughput constraints for standard provisioning volumes.

Test live generation and explore seeded output on the WordPress Salt Generator API documentation page.

GLOBUS.App

GLOBUS.studio