Skip to main content

wp config shuffle-salts

Overview

Regenerate all WordPress authentication keys and salts in wp-config.php. All existing logged-in sessions are immediately invalidated. Run this after a security incident or as a regular hardening step.

What It Does

wp config shuffle-salts replaces the eight authentication key and salt constants in wp-config.php with new, randomly generated values fetched from the WordPress secret key API (api.wordpress.org). This immediately forces all users — including admins — to log in again.

The eight constants rotated are:

  • AUTH_KEY
  • SECURE_AUTH_KEY
  • LOGGED_IN_KEY
  • NONCE_KEY
  • AUTH_SALT
  • SECURE_AUTH_SALT
  • LOGGED_IN_SALT
  • NONCE_SALT

Syntax

wp config shuffle-salts [--force] [--insecure] [--config-file=<path>] [<keys>...]

Options & Flags

FlagDescription
KEYS...Shuffle only specific salt keys (space-separated)
--forceGenerate salts without fetching from the WordPress API (uses local random generation)
--insecureSkip SSL verification when fetching salts from the API
--config-file=PATHTarget a config at a custom path

Basic Usage

wp config shuffle-salts

Rotate only specific salts

wp config shuffle-salts AUTH_KEY SECURE_AUTH_KEY

Rotate without API call (offline / air-gapped servers)

wp config shuffle-salts --force

Allow insecure SSL (if the server cannot verify the WordPress API cert)

wp config shuffle-salts --insecure

Expected Output

Success: Shuffled the salt keys.

What Happens After Rotation

When salts are changed:

  • All users are immediately logged out — including all admins.
  • Active sessions (cookies) become invalid.
  • Nonces generated before the rotation become invalid.
  • Remember me tokens are invalidated.
Inform your team before rotating salts

If other admins or editors are actively working on the site, notify them before rotating salts to avoid unexpected logouts.

Real-World Scenarios

Scenario 1: Post-incident response (suspected account compromise)

# 1. Rotate salts to invalidate all active sessions
wp config shuffle-salts

# 2. Force a password reset for the compromised account
wp user update <user_id> --user_pass="$(openssl rand -base64 24)"

# 3. Review admin accounts
wp user list --role=administrator

Scenario 2: Scheduled security maintenance (cron-driven)

# In /etc/cron.monthly
wp --path=/var/www/html config shuffle-salts --quiet

Scenario 3: Before going live from a cloned/migrated site

wp search-replace 'https://staging.example.com' 'https://example.com'
wp config shuffle-salts
wp cache flush

Scenario 4: Offline server (no internet access)

wp config shuffle-salts --force
--force vs API

--force uses local PHP random generation which is still cryptographically secure. Use it when the server has no outbound internet access to api.wordpress.org.

Best Practices

  1. Rotate salts after every security incident — compromised admin accounts, malware removal, unfaithful admins.
  2. Schedule monthly salt rotations via cron as a security hygiene practice.
  3. Notify administrators before rotating on active sites to prevent workflow disruption.
  4. Combine with wp user update --user_pass for full incident response.
  5. Verify the result with wp config list | grep _KEY after rotation.

Troubleshooting

ProblemCauseFix
Error: Failed to fetch saltsNo internet or blocked by firewallUse --force or --insecure
All users logged out unexpectedlySalts were rotated (expected behavior)Log back in; behavior is correct
Permission deniedCan't write to wp-config.phpFix file ownership or permissions
SSL verification failureServer cannot verify WordPress API certUse --insecure (only on trusted networks)

Quick Reference

wp config shuffle-salts                        # Rotate all salts (API)
wp config shuffle-salts --force                # Rotate offline
wp config shuffle-salts AUTH_KEY NONCE_SALT    # Rotate specific salts
wp config list | grep _KEY                     # Verify new salts exist

Next Steps