wp_salt() │ WP 2.5.0
Gets the secret key (salt), which is added to the hash.
Secret keys are located in two places: in the database and in the file wp-config.php .
In wp-config.php , they look like this:
define( 'AUTH_KEY', 't vz,|X,g3{3Qxs^4G;$ 9Tk a3}~Pw%AWRh3rlw0fzZWRuU9Pm1<YPCm#R lZ5]');
define( 'SECURE_AUTH_KEY', '>@r&pPDKtZ%BaC@q@lk $_n<{!GYsp6c5CcM _`Fc?5c?Ye~;!Oevh/1UjdK-A%=');
define( 'LOGGED_IN_KEY', '%6TuLl|$M`]DF[P<-n>pr}dzw6nT&Ze[VZ-+a@Xo3tKjz6+-WrN hG.q,|9>/dNE');
define( 'NONCE_KEY', 'DO(u.HCT>h|Hi:-UHKaTV2;c+_.BKA/ s=A=EO)-C}p:=k+~sd;-]t]d$?$?ja-e');
define( 'AUTH_SALT', '|G Vo<P_7{@-gjr?sB8j`,+Q$VMMm+&S]j-R]xM^M3MAC|#]m,lud9|ES*Xeb.~y');
define( 'SECURE_AUTH_SALT', 'Y5tIYA{tOB?,6.3tv9y8C|V4l)t--BC.!@#j|F#j#V4VH&`&FBTz1>l=qA7Lxf8J');
define( 'LOGGED_IN_SALT', 'gR]>WZX ~_vY?DS+j|F+,Sdt}lG}(R6F|xlM+e~ho]KD}n1#h4)]0u|O4!<>|;YY');
define( 'NONCE_SALT', '=]nQIb%tUJ;oPD=w$?t+/c5TbJ{[5i)](K[-9J35akCnu,pqswbc:%1e64HLT2:9');
In the database, secret keys are generated randomly. The function combines keys from the database and from wp-config.php and returns the result.
Pluggable function — this function can be replaced from a plugin. It means that this function is defined (works) only after all plugins are loaded (included), but before this moment this function has not defined. Therefore, you cannot call this and all functions depended on this function directly from a plugin code. They need to be called on plugins_loaded hook or later, for example on init hook.
Function replacement (override) — in must-use or regular plugin you can create a function with the same name, then it will replace this function.
Returns
String. A string, the value of the secret key.
Usage
wp_salt( $scheme );
$scheme(string)
What type of secret key needs to be obtained, can be:
authsecure_authlogged_innonce
Default: 'auth'
Examples
#1 Demonstration of wp_salt
$salt = wp_salt('logged_in');
echo $salt;
// outputs something like this:
// 0D3*SIMO4$(t~I;E]NBx}L`Vy2U8o|{vbxH4t3l-!4-Io N(U74&+BdC^S,~*0^B>k,|4/`76[PG|V:)}o$)!hh1GgZ>t8[A-rmF&RDU~|fcN1/]T7i/=H
Add Your Own Example
wp_salt() wp salt code
WP 6.8.3
function wp_salt( $scheme = 'auth' ) {
static $cached_salts = array();
if ( isset( $cached_salts[ $scheme ] ) ) {
/**
* Filters the WordPress salt.
*
* @since 2.5.0
*
* @param string $cached_salt Cached salt for the given scheme.
* @param string $scheme Authentication scheme. Values include 'auth',
* 'secure_auth', 'logged_in', and 'nonce'.
*/
return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
}
static $duplicated_keys;
if ( null === $duplicated_keys ) {
$duplicated_keys = array();
foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) {
foreach ( array( 'KEY', 'SALT' ) as $second ) {
if ( ! defined( "{$first}_{$second}" ) ) {
continue;
}
$value = constant( "{$first}_{$second}" );
$duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] );
}
}
$duplicated_keys['put your unique phrase here'] = true;
/*
* translators: This string should only be translated if wp-config-sample.php is localized.
* You can check the localized release package or
* https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php
*/
$duplicated_keys[ __( 'put your unique phrase here' ) ] = true;
}
/*
* Determine which options to prime.
*
* If the salt keys are undefined, use a duplicate value or the
* default `put your unique phrase here` value the salt will be
* generated via `wp_generate_password()` and stored as a site
* option. These options will be primed to avoid repeated
* database requests for undefined salts.
*/
$options_to_prime = array();
foreach ( array( 'auth', 'secure_auth', 'logged_in', 'nonce' ) as $key ) {
foreach ( array( 'key', 'salt' ) as $second ) {
$const = strtoupper( "{$key}_{$second}" );
if ( ! defined( $const ) || true === $duplicated_keys[ constant( $const ) ] ) {
$options_to_prime[] = "{$key}_{$second}";
}
}
}
if ( ! empty( $options_to_prime ) ) {
/*
* Also prime `secret_key` used for undefined salting schemes.
*
* If the scheme is unknown, the default value for `secret_key` will be
* used too for the salt. This should rarely happen, so the option is only
* primed if other salts are undefined.
*
* At this point of execution it is known that a database call will be made
* to prime salts, so the `secret_key` option can be primed regardless of the
* constants status.
*/
$options_to_prime[] = 'secret_key';
wp_prime_site_option_caches( $options_to_prime );
}
$values = array(
'key' => '',
'salt' => '',
);
if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) ) {
$values['key'] = SECRET_KEY;
}
if ( 'auth' === $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) ) {
$values['salt'] = SECRET_SALT;
}
if ( in_array( $scheme, array( 'auth', 'secure_auth', 'logged_in', 'nonce' ), true ) ) {
foreach ( array( 'key', 'salt' ) as $type ) {
$const = strtoupper( "{$scheme}_{$type}" );
if ( defined( $const ) && constant( $const ) && empty( $duplicated_keys[ constant( $const ) ] ) ) {
$values[ $type ] = constant( $const );
} elseif ( ! $values[ $type ] ) {
$values[ $type ] = get_site_option( "{$scheme}_{$type}" );
if ( ! $values[ $type ] ) {
$values[ $type ] = wp_generate_password( 64, true, true );
update_site_option( "{$scheme}_{$type}", $values[ $type ] );
}
}
}
} else {
if ( ! $values['key'] ) {
$values['key'] = get_site_option( 'secret_key' );
if ( ! $values['key'] ) {
$values['key'] = wp_generate_password( 64, true, true );
update_site_option( 'secret_key', $values['key'] );
}
}
$values['salt'] = hash_hmac( 'md5', $scheme, $values['key'] );
}
$cached_salts[ $scheme ] = $values['key'] . $values['salt'];
/** This filter is documented in wp-includes/pluggable.php */
return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
}