wp-config Generator
Fill in your database details and toggle security constants to generate a complete, valid wp-config.php, with freshly minted, cryptographically secure keys and salts. Everything is built right in your browser; nothing is uploaded.
Database
Security constants
crypto.getRandomValues(), cryptographically secure and unique on every render. Nothing is sent to a server.About the wp-config Generator
The wp-config Generator builds a complete, valid wp-config.php file from a few simple inputs like your database name, user, password, host, charset, and table prefix. It automatically adds eight freshly generated, cryptographically secure authentication keys and salts, plus optional security constants such as DISALLOW_FILE_EDIT, WP_DEBUG, and FORCE_SSL_ADMIN. It is built for WordPress developers and administrators who want a correct, secure config in seconds without hand-editing files or copying keys from memory.
How it works
- Enter your database details (name, user, password, host), charset, and a table prefix, then toggle any security constants you want included.
- The tool assembles a ready-to-use wp-config.php entirely in your browser, complete with eight cryptographically secure keys and salts generated on the spot.
- Copy the output or download it as a .php file, then upload it to your WordPress root directory. Use the regenerate salts button anytime to refresh the keys.
Features
- Generates a complete, valid wp-config.php from your database and site settings.
- Includes eight freshly generated, cryptographically secure authentication keys and salts on every run.
- Optional security constants such as DISALLOW_FILE_EDIT, WP_DEBUG, and FORCE_SSL_ADMIN.
- Copy to clipboard, download as a .php file, or regenerate salts with one click.
- Runs 100% client-side, so your database credentials are never sent anywhere. Free, with no signup.
Frequently asked questions
Are my database credentials uploaded anywhere?
No. Everything is generated entirely in your browser. Your database name, user, password, and all other inputs never leave your device or get sent to any server.
Where does wp-config.php go?
Place wp-config.php in the root directory of your WordPress installation, the same folder that contains wp-load.php and the wp-admin and wp-includes directories. For added security you can move it one level above the WordPress root, and WordPress will still find it.
What does the table prefix do?
The table prefix is added to the start of every database table name (the default is wp_). Using a custom, non-default prefix lets multiple WordPress installs share one database and adds a small layer of obscurity against automated attacks that target the default prefix.
Should I enable DISALLOW_FILE_EDIT?
For most production sites, yes. Setting DISALLOW_FILE_EDIT to true removes the built-in plugin and theme file editors from the WordPress admin, so an attacker who gains admin access cannot inject code through those editors. Leave it off only if you genuinely rely on editing files from the dashboard.
What charset should I use?
For modern WordPress sites, use utf8mb4. It supports the full range of Unicode characters, including emoji, and is the WordPress default. Only use utf8 if you are on an older database server that does not support utf8mb4.
What are the keys and salts, and should I regenerate them?
The eight unique keys and salts strengthen the encryption of cookies and sessions, making login data far harder to crack. This tool generates fresh, secure values automatically. You can regenerate them at any time, but changing them on a live site logs out all current users, since their existing sessions become invalid.