A small, fast, client-side toolkit for WordPress admins and sysadmins. Hashing, password generation, and WordPress salts run entirely in your tab. No requests, no logs, no telemetry.
// hash output appears here
MD5 is a 128-bit cryptographic hash designed by Ronald Rivest in 1991. It still has legitimate uses: file integrity checks, ETags, deduplication, cache keys, fingerprinting non-secret data, and interop with legacy systems that demand it.
MD5 is broken for security purposes — collisions are trivial to generate. Modern WordPress uses bcrypt (and phpass on older installs), not raw MD5. If you're hashing a password, switch to the bcrypt / phpass tab.
// hash output appears here
SHA-256 is the default modern fingerprint hash — file checksums, content-addressing, JWTs, signatures. SHA-1 is deprecated for security but still appears in legacy systems (git, old TLS). Like MD5, none of these are password hashes on their own.
This page calls window.crypto.subtle.digest() — the WebCrypto API built into your browser. The plaintext never leaves the tab.
// hash output appears here
WordPress 6.8+ stores passwords as bcrypt ($2y$). Older sites use phpass ($P$). Both formats are accepted on read, so a fresh bcrypt hash works on any modern WP. Pick phpass only if you're building a fixture or testing a legacy install.
bcrypt at cost 10 takes ~50–100ms per hash; cost 12 is ~4× slower. That's the feature — it makes brute force expensive. Generation is synchronous and runs on this tab.
// passwords appear here
Every extra character roughly doubles the brute-force work. A 20-character random password is overwhelmingly stronger than an 8-character one with three symbols. 16+ for normal accounts, 24+ for admin / root / cPanel.
If a password will be transcribed by a human (server console, mobile keyboard), the "avoid look-alikes" option strips 1 l I 0 O o so nobody calls you at 2am about a "wrong password" that's actually a confused 1 vs l.
// salt block appears here
The eight constants — AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, and the four _SALT pairs — sign and encrypt WordPress auth cookies and nonces. Replace the entire block in wp-config.php; rotating them logs out every session instantly.
Replacing salts is step one of incident response — it kicks the attacker out of any stolen session. You also need to: change the DB password, force-reset all admin passwords, audit users for unknown admins, and check active sessions and application passwords. SudoWP →
// .htpasswd entry appears here
An .htpasswd in front of wp-login.php stops 99% of automated WordPress login attacks before PHP ever runs. Pair with fail2ban watching the auth log for serious traffic.
Append the generated line to your existing .htpasswd, or save it as a new file. RunCloud users: add it via the "Basic Auth" panel under your web app, or reference it manually in your nginx config.
// SQL UPDATE statement appears here
Paste the generated UPDATE in phpMyAdmin → SQL tab, or pipe it: wp db query "$(pbpaste)". The generated hash is bcrypt — accepted by every modern WP version.
This SQL writes directly to wp_users. mysqldump the database (or snapshot the VPS) before running anything. The query also clears user_activation_key as a precaution.