🧂 Fresh salt generator
Eight new 64-character keys, generated in your browser with the Web Crypto API. Safe to paste straight into wp-config.php, replacing your existing key block. Regenerating logs everyone out, which is a fast way to end any hijacked sessions.
🔎 What it checks
Every finding is ranked by severity and comes with the exact line to add or change. The checks, roughly from most to least urgent:
- Security keys and salts: all eight present, none still holding the sample placeholder, none duplicated, none suspiciously short.
- Debug exposure:
WP_DEBUGandWP_DEBUG_DISPLAY, plus a forcedini_set('display_errors', 1), any of which can print server paths and errors to visitors. - Database credentials: an empty or default password (checked locally, never shown or sent).
- File editing:
DISALLOW_FILE_EDIT, which stops a compromised admin account from editing PHP in the dashboard. - Transport:
FORCE_SSL_ADMINfor encrypted logins. - Table prefix: whether it is still the default
wp_. - Hardening and performance extras: automatic updates, debug log location, environment type, post revisions, memory limit.
🔒 Why pasting your config here is safe
wp-config.php contains your database password, so where you paste it matters. This tool is a static page: the audit runs entirely in your browser with JavaScript, there are no network requests after the page loads, and nothing is stored. Your password is used only to check whether it is empty or a common default, and it is never displayed back or transmitted. You can open the browser network tab to confirm nothing leaves, or read the small engine. If you would still rather not, redact the four DB_ lines before pasting; the rest of the audit works fine without them.
💬 Questions people ask
Should I really change the table prefix?
On a new install, yes, pick something non-default. On a live site, changing it means renaming database tables and updating references, which is risky to do casually. The audit flags wp_ as low severity for exactly this reason: it is obscurity, not a real defense, so do not break a working site chasing it.
How often should I rotate salts?
A few times a year is plenty, and any time you suspect a compromise. Rotating them invalidates every logged-in session immediately, which is the quickest way to kick out an attacker who has a stolen cookie.
Does a high score mean my site is secure?
No. This audits one file. Real security also depends on updates, strong passwords, hosting, plugins, and more. A clean wp-config.php removes a set of common, avoidable mistakes; it is a floor, not a ceiling.
Can I use the audit rules in my own tooling?
Yes. docs/config.js is a dependency-free ES module exposing parseConfig, audit, and generateSalts. MIT licensed.