Same issue here. It causes problems with some plugins throwing php warning if these keys are not added manually in the wp-config.php file.
An automatic generation of the keys would make sense.
When creating sites in Local, in wp-config.php are no “Authentication unique keys and salts” defined.
That is no problem in local development environment, but when a finished site is transported to a real hoster and published, the missing salts are a big security problem!
And not all users are aware of this or are able to insert salts by themself afterwards!
Does this happen for all sites in Local, or just one in particular?
Are you able to create a new, plain WordPress site in Local and access it in a Browser?
Describe the steps that others can take to replicate this issue. If you have screenshots that can help clarify what is happening, please include them!
- create a new site in Local
- check wp-config.php
Which version of Local is being used? 6.7.0
What Operating System (OS) and OS version is being used?
Windows 10 Home
Attach the Local Log. See this Help Doc for instructions on how to do so:
Local does a pretty good job of scrubbing private info from the logs and the errors it produces, however there’s always the possibility that something private can come through. Because these are public forums, always review the screenshots you are sharing to make sure there isn’t private info like passwords being displayed.
Local does not generate salts and security keys.
Steps to reproduce
Create a new WP instance using Local. Check the wp-config.php file and see that the section that usually contains the salts and security keys is empty.
macOS Ventura (13.2)
Local 6.6.1 (ARM)
The missing salts and security keys result in problems with some plugins which rely on those. And of course they’re a security issue by nature.
While it’s possible to include them manually for every fresh instance it would be great if Local automated this process.
Thanks for flagging this! We believe we’ve tracked down the cause of these keys not being generated; there was a change in WordPress Core that needed an accompanying change in the Local codebase that we missed! I’ve created a ticket for the engineering team and we will dig in.
So good to hear that. For local development it’s not big deal, but I saw many times people had problems to activate plugins that use freemius etc. just because they had no salt keys generated. It’s small bug with huge impact in many ways.
You bet, happy we found the root cause and a path forward on the fix.
In the meantime, if you’re running into this on a site, you can hit “Open Site Shell” and run
wp config shuffle-salts and WP-CLI will generate them again for you. Just temporary until the fix is out there!