WordPress-Passwort-Generator

Generieren Sie WordPress-kompatible Passwörter mit Sicherheits-Presets

WordPress Password Generation for Developers

WordPress employs a specific password hashing architecture that has evolved from the portable phpass framework to modern bcrypt implementations. Unlike generic password generators that produce arbitrary random strings, a WordPress-specific password generator accounts for the platform's character set compatibility, authentication key requirements, and hashing behavior. WordPress core uses the wp_hash_password() function to hash user passwords, and since version 5.x has transitioned from phpass portable hashes (identified by the $P$ prefix) to bcrypt hashes (prefixed with $2y$). Understanding this hashing pipeline is critical when generating passwords for WordPress installations, whether for user accounts, application passwords, or the authentication constants defined in wp-config.php.

WordPress Hashing: From phpass to bcrypt

WordPress historically relied on the phpass (Portable PHP password hashing framework) library for password hashing. Phpass uses an iterated MD5-based scheme with a configurable cost factor, producing hashes in the format $P$B[22 characters of salt and hash]. While this was adequate for its era, MD5-based schemes are vulnerable to GPU-accelerated attacks. Starting with WordPress 5.x, core introduced bcrypt support through wp_hash_password(), which now produces hashes prefixed with $2y$ and a configurable cost factor (default cost 10, meaning 210 = 1024 iterations of the Blowfish cipher).

The transition is backward-compatible: WordPress can verify both phpass and bcrypt hashes via wp_check_password(). When a user logs in with a password hashed using the legacy phpass format, WordPress automatically rehashes it with bcrypt. Generated passwords work seamlessly with both hashing methods because bcrypt accepts any string up to 72 bytes. However, passwords exceeding 72 bytes are silently truncated by bcrypt, so generated passwords should stay within this limit. The recommended length for WordPress passwords is 24 to 64 characters, balancing high entropy with bcrypt's byte limit.

WordPress uses a character set that avoids visually ambiguous characters. The default character pool for wp_generate_password() includes uppercase letters, lowercase letters, digits, and the special characters !@#$%^&*(), but excludes characters like l, 1, I, O, 0 when the $extra_special_chars parameter is false. This prevents confusion when passwords are communicated verbally or displayed in fonts with poor character differentiation.

wp-config.php Security Keys and Salts

WordPress defines eight authentication constants in wp-config.php that protect cookie authentication and nonce validation. These constants are divided into four keys and four salts: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, and their corresponding salts AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT.

Each key-salt pair serves a distinct authentication scope. AUTH_KEY and AUTH_SALT authenticate standard HTTP cookies. SECURE_AUTH_KEY and SECURE_AUTH_SALT authenticate cookies over HTTPS connections. LOGGED_IN_KEY and LOGGED_IN_SALT validate the logged-in cookie used for client-side interface access. NONCE_KEY and NONCE_SALT protect against cross-site request forgery by signing nonce tokens used in forms and AJAX requests.

These constants should be 64 characters long and drawn from a character set that includes all printable ASCII characters. Rotating these keys invalidates all existing authentication cookies, effectively logging out every user. This is useful after a suspected compromise. WordPress.org provides an API endpoint (https://api.wordpress.org/secret-key/1.1/salt/) that generates random values, but generating them locally avoids transmitting secrets over the network. Best practice is to rotate these keys at least annually or immediately after any security incident.

Application Passwords for REST API Authentication

WordPress 5.6 introduced Application Passwords — a system for authenticating REST API requests without exposing the user's main login credentials. Application passwords are 24 characters long, formatted as space-separated groups of 4 characters (e.g., abcd efgh ijkl mnop qrst uvwx) for readability. Internally, the spaces are stripped before authentication, and the password is verified against a bcrypt hash stored in the user's meta table.

Each application password is tied to a specific application name and can be individually revoked without affecting the user's main password or other application passwords. This follows the principle of least privilege: a CI/CD pipeline accessing the REST API uses its own application password that can be rotated independently. Application passwords support HTTP Basic Authentication over HTTPS, making them straightforward to use with tools like curl, Postman, or programmatic HTTP clients.

When generating application passwords programmatically, use the same character restrictions as WordPress core: lowercase alphanumeric characters only (a-z, 0-9), excluding characters that could be confused visually. The WP_Application_Passwords class in WordPress core handles generation via wp_generate_password(24, false, false), producing a 24-character string without special characters or uppercase letters. This ensures maximum compatibility across HTTP clients and avoids URL-encoding issues when credentials are included in request headers.

Generating WordPress-Compatible Passwords in Practice

When generating passwords for WordPress user accounts, the target configuration depends on the specific use case. For admin accounts and database users, use the full printable ASCII character set with 24 or more characters to maximize entropy while staying within bcrypt's 72-byte limit. For generated passwords that will be shared with non-technical users, restrict the character set to avoid ambiguous characters and limit length to 16-20 characters for memorability.

For wp-config.php security constants, generate 64-character strings using the broadest possible character set. These are never typed manually, so readability is irrelevant — maximum entropy per character is the goal. Include uppercase, lowercase, digits, and all standard symbols. Avoid characters that could break PHP string parsing: single quotes ('), double quotes ("), backslashes (\), and the dollar sign ($) should be excluded since these constants are defined within PHP single-quoted strings in wp-config.php.

This tool generates passwords tailored to each WordPress context: standard user passwords with WordPress-compatible character sets, 64-character security keys for wp-config.php constants, and 24-character lowercase alphanumeric strings for application passwords. All generation uses the Web Crypto API for cryptographic randomness, ensuring output is suitable for production WordPress deployments.

Code Examples

Generate WordPress wp-config.php security keys in JavaScript

// Generate WordPress security keys and salts for wp-config.php
// Excludes characters that break PHP single-quoted strings: ' " \ $
function generateWpConfigKey(length = 64) {
  const charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#%^&*()-_=+[]{}|;:,.<>?/~`';
  const values = new Uint32Array(length * 2);
  crypto.getRandomValues(values);
  const maxValid = Math.floor(0x100000000 / charset.length) * charset.length;

  let result = '';
  let i = 0;
  while (result.length < length) {
    if (i >= values.length) {
      crypto.getRandomValues(values);
      i = 0;
    }
    if (values[i] < maxValid) {
      result += charset[values[i] % charset.length];
    }
    i++;
  }
  return result;
}

// Generate all 8 WordPress authentication constants
const keys = ['AUTH_KEY', 'SECURE_AUTH_KEY', 'LOGGED_IN_KEY', 'NONCE_KEY',
              'AUTH_SALT', 'SECURE_AUTH_SALT', 'LOGGED_IN_SALT', 'NONCE_SALT'];

const wpConfig = keys.map(name =>
  `define('${name}', '${generateWpConfigKey()}');`
).join('\n');

console.log(wpConfig);
// → define('AUTH_KEY', 'xK7!mP2@rQ9&nL4(wB5)tY8^...');
// → define('SECURE_AUTH_KEY', 'hG3#jF6%cV1*dN8-sA4=...');
// → ...

Generate WordPress Application Password format

<?php
// WordPress Application Password generation (mirrors WP core behavior)
// Uses lowercase alphanumeric only, 24 characters, grouped in chunks of 4

function generate_application_password(): string {
    $charset = 'abcdefghjkmnpqrstuvwxyz23456789'; // Excludes ambiguous: l, 1, i, o, 0
    $password = '';

    for ($i = 0; $i < 24; $i++) {
        $password .= $charset[random_int(0, strlen($charset) - 1)];
    }

    // Format with spaces for readability (spaces stripped during auth)
    return implode(' ', str_split($password, 4));
}

$app_password = generate_application_password();
// → "abcd efgh ijkl mnop qrst uvwx"

// Verify it works with wp_check_password()
$hash = wp_hash_password(str_replace(' ', '', $app_password));
$valid = wp_check_password(str_replace(' ', '', $app_password), $hash);
// → true

Standards & Specifications