WordPress-Passwort-Generator
Generieren Sie WordPress-kompatible Passwörter mit Sicherheits-Presets
WordPress Password Generation for Developers
WordPress employs a specific password hashing architecture that has evolved from the portable phpass
framework to modern bcrypt implementations. Unlike generic password generators that produce arbitrary
random strings, a WordPress-specific password generator accounts for the platform's character set
compatibility, authentication key requirements, and hashing behavior. WordPress core uses the
wp_hash_password() function to hash user passwords, and since version 5.x has transitioned
from phpass portable hashes (identified by the $P$ prefix) to bcrypt hashes (prefixed with
$2y$). Understanding this hashing pipeline is critical when generating passwords for
WordPress installations, whether for user accounts, application passwords, or the authentication
constants defined in wp-config.php.
WordPress Hashing: From phpass to bcrypt
WordPress historically relied on the phpass (Portable PHP password hashing framework) library for
password hashing. Phpass uses an iterated MD5-based scheme with a configurable cost factor, producing
hashes in the format $P$B[22 characters of salt and hash]. While this was adequate for
its era, MD5-based schemes are vulnerable to GPU-accelerated attacks. Starting with WordPress 5.x,
core introduced bcrypt support through wp_hash_password(), which now produces hashes
prefixed with $2y$ and a configurable cost factor (default cost 10, meaning
210 = 1024 iterations of the Blowfish cipher).
The transition is backward-compatible: WordPress can verify both phpass and bcrypt hashes via
wp_check_password(). When a user logs in with a password hashed using the legacy phpass
format, WordPress automatically rehashes it with bcrypt. Generated passwords work seamlessly with
both hashing methods because bcrypt accepts any string up to 72 bytes. However, passwords exceeding
72 bytes are silently truncated by bcrypt, so generated passwords should stay within this limit.
The recommended length for WordPress passwords is 24 to 64 characters, balancing high entropy with
bcrypt's byte limit.
WordPress uses a character set that avoids visually ambiguous characters. The default character pool
for wp_generate_password() includes uppercase letters, lowercase letters, digits, and
the special characters !@#$%^&*(), but excludes characters like l,
1, I, O, 0 when the
$extra_special_chars parameter is false. This prevents confusion when passwords are
communicated verbally or displayed in fonts with poor character differentiation.
wp-config.php Security Keys and Salts
WordPress defines eight authentication constants in wp-config.php that protect cookie
authentication and nonce validation. These constants are divided into four keys and four salts:
AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY,
NONCE_KEY, and their corresponding salts AUTH_SALT,
SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT.
Each key-salt pair serves a distinct authentication scope. AUTH_KEY and
AUTH_SALT authenticate standard HTTP cookies. SECURE_AUTH_KEY and
SECURE_AUTH_SALT authenticate cookies over HTTPS connections.
LOGGED_IN_KEY and LOGGED_IN_SALT validate the logged-in cookie used for
client-side interface access. NONCE_KEY and NONCE_SALT protect against
cross-site request forgery by signing nonce tokens used in forms and AJAX requests.
These constants should be 64 characters long and drawn from a character set that includes all
printable ASCII characters. Rotating these keys invalidates all existing authentication cookies,
effectively logging out every user. This is useful after a suspected compromise. WordPress.org
provides an API endpoint (https://api.wordpress.org/secret-key/1.1/salt/) that
generates random values, but generating them locally avoids transmitting secrets over the network.
Best practice is to rotate these keys at least annually or immediately after any security incident.
Application Passwords for REST API Authentication
WordPress 5.6 introduced Application Passwords — a system for authenticating REST API requests
without exposing the user's main login credentials. Application passwords are 24 characters long,
formatted as space-separated groups of 4 characters (e.g., abcd efgh ijkl mnop qrst uvwx)
for readability. Internally, the spaces are stripped before authentication, and the password is
verified against a bcrypt hash stored in the user's meta table.
Each application password is tied to a specific application name and can be individually revoked
without affecting the user's main password or other application passwords. This follows the principle
of least privilege: a CI/CD pipeline accessing the REST API uses its own application password that
can be rotated independently. Application passwords support HTTP Basic Authentication over HTTPS,
making them straightforward to use with tools like curl, Postman, or programmatic HTTP
clients.
When generating application passwords programmatically, use the same character restrictions as
WordPress core: lowercase alphanumeric characters only (a-z, 0-9),
excluding characters that could be confused visually. The WP_Application_Passwords
class in WordPress core handles generation via wp_generate_password(24, false, false),
producing a 24-character string without special characters or uppercase letters. This ensures
maximum compatibility across HTTP clients and avoids URL-encoding issues when credentials are
included in request headers.
Generating WordPress-Compatible Passwords in Practice
When generating passwords for WordPress user accounts, the target configuration depends on the specific use case. For admin accounts and database users, use the full printable ASCII character set with 24 or more characters to maximize entropy while staying within bcrypt's 72-byte limit. For generated passwords that will be shared with non-technical users, restrict the character set to avoid ambiguous characters and limit length to 16-20 characters for memorability.
For wp-config.php security constants, generate 64-character strings using the broadest
possible character set. These are never typed manually, so readability is irrelevant — maximum
entropy per character is the goal. Include uppercase, lowercase, digits, and all standard symbols.
Avoid characters that could break PHP string parsing: single quotes ('),
double quotes ("), backslashes (\), and the dollar sign
($) should be excluded since these constants are defined within PHP single-quoted
strings in wp-config.php.
This tool generates passwords tailored to each WordPress context: standard user passwords with
WordPress-compatible character sets, 64-character security keys for wp-config.php
constants, and 24-character lowercase alphanumeric strings for application passwords. All generation
uses the Web Crypto API for cryptographic randomness, ensuring output is suitable for production
WordPress deployments.
Code Examples
Generate WordPress wp-config.php security keys in JavaScript
// Generate WordPress security keys and salts for wp-config.php
// Excludes characters that break PHP single-quoted strings: ' " \ $
function generateWpConfigKey(length = 64) {
const charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#%^&*()-_=+[]{}|;:,.<>?/~`';
const values = new Uint32Array(length * 2);
crypto.getRandomValues(values);
const maxValid = Math.floor(0x100000000 / charset.length) * charset.length;
let result = '';
let i = 0;
while (result.length < length) {
if (i >= values.length) {
crypto.getRandomValues(values);
i = 0;
}
if (values[i] < maxValid) {
result += charset[values[i] % charset.length];
}
i++;
}
return result;
}
// Generate all 8 WordPress authentication constants
const keys = ['AUTH_KEY', 'SECURE_AUTH_KEY', 'LOGGED_IN_KEY', 'NONCE_KEY',
'AUTH_SALT', 'SECURE_AUTH_SALT', 'LOGGED_IN_SALT', 'NONCE_SALT'];
const wpConfig = keys.map(name =>
`define('${name}', '${generateWpConfigKey()}');`
).join('\n');
console.log(wpConfig);
// → define('AUTH_KEY', 'xK7!mP2@rQ9&nL4(wB5)tY8^...');
// → define('SECURE_AUTH_KEY', 'hG3#jF6%cV1*dN8-sA4=...');
// → ...Generate WordPress Application Password format
<?php
// WordPress Application Password generation (mirrors WP core behavior)
// Uses lowercase alphanumeric only, 24 characters, grouped in chunks of 4
function generate_application_password(): string {
$charset = 'abcdefghjkmnpqrstuvwxyz23456789'; // Excludes ambiguous: l, 1, i, o, 0
$password = '';
for ($i = 0; $i < 24; $i++) {
$password .= $charset[random_int(0, strlen($charset) - 1)];
}
// Format with spaces for readability (spaces stripped during auth)
return implode(' ', str_split($password, 4));
}
$app_password = generate_application_password();
// → "abcd efgh ijkl mnop qrst uvwx"
// Verify it works with wp_check_password()
$hash = wp_hash_password(str_replace(' ', '', $app_password));
$valid = wp_check_password(str_replace(' ', '', $app_password), $hash);
// → trueStandards & Specifications
- WordPress Password Hashing (wp_hash_password) — Official WordPress developer reference for the password hashing function used by core authentication
- WordPress REST API Authentication — Documentation for Application Passwords and REST API authentication methods introduced in WordPress 5.6
- PHP password_hash (bcrypt) — PHP documentation for bcrypt hashing via PASSWORD_BCRYPT, the algorithm underlying WordPress 5.x+ password storage