Lack of Salt Secret-Keys in new installations

Salt Keys are not generated

  • wp-config.php on the line 54 where should be auto generated authentication unique keys and salts there’s only comment:
  • I tested it in many ways (setups), but the keys are never generated automatically for now quick fix is to add it manually: You can generate it here

Steps to reproduce

  • Just make new install and see if You have the lack of keys too.

Environment Info

  • Macbook Air - Monterey
  • Environment, PHP could be custom or perffered. The problem comes on all of the configurations.
  • Local v6.4.1+5978

Supporting info (40.9 KB)

Same problem here:

  • MacBook Pro - Monterey (M1 Max based)
  • Local v6.4.2+6012

Same issue here. It causes problems with some plugins throwing php warning if these keys are not added manually in the wp-config.php file.

An automatic generation of the keys would make sense.

Issue Summary

When creating sites in Local, in wp-config.php are no “Authentication unique keys and salts” defined.
That is no problem in local development environment, but when a finished site is transported to a real hoster and published, the missing salts are a big security problem!
And not all users are aware of this or are able to insert salts by themself afterwards!

Troubleshooting Questions

  • Does this happen for all sites in Local, or just one in particular?

  • Are you able to create a new, plain WordPress site in Local and access it in a Browser?


Describe the steps that others can take to replicate this issue. If you have screenshots that can help clarify what is happening, please include them!

  1. create a new site in Local
  2. check wp-config.php

System Details

  • Which version of Local is being used? 6.7.0

  • What Operating System (OS) and OS version is being used?
    Windows 10 Home

  • Attach the Local Log. See this Help Doc for instructions on how to do so:

Security Reminder

Local does a pretty good job of scrubbing private info from the logs and the errors it produces, however there’s always the possibility that something private can come through. Because these are public forums, always review the screenshots you are sharing to make sure there isn’t private info like passwords being displayed.

Bug Summary

Local does not generate salts and security keys.

Steps to reproduce

Create a new WP instance using Local. Check the wp-config.php file and see that the section that usually contains the salts and security keys is empty.

Environment Info

macOS Ventura (13.2)
Local 6.6.1 (ARM)

Supporting info

The missing salts and security keys result in problems with some plugins which rely on those. And of course they’re a security issue by nature.

While it’s possible to include them manually for every fresh instance it would be great if Local automated this process.

Hi all,

Thanks for flagging this! We believe we’ve tracked down the cause of these keys not being generated; there was a change in WordPress Core that needed an accompanying change in the Local codebase that we missed! I’ve created a ticket for the engineering team and we will dig in.



So good to hear that. For local development it’s not big deal, but I saw many times people had problems to activate plugins that use freemius etc. just because they had no salt keys generated. It’s small bug with huge impact in many ways.

Thanks @austinwendt


You bet, happy we found the root cause and a path forward on the fix.

In the meantime, if you’re running into this on a site, you can hit “Open Site Shell” and run wp config shuffle-salts and WP-CLI will generate them again for you. Just temporary until the fix is out there!

1 Like