wp_generate_password( int $length = 12, bool $special_chars = true, bool $extra_special_chars = false ): string

Generates a random password drawn from the defined set of characters.


Uses wp_rand() to create passwords with far less predictability than similar native PHP functions like rand() or mt_rand().


The length of password to generate.


Whether to include standard special characters.


Whether to include other special characters.
Used when generating secret keys and salts.



string The random password.

More Information

This function executes the random_password filter after generating the password.

Normal characters: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

Special characters: !@#$%^&*()

Extra special characters: -_ []{}<>~`+=,.;:/?|


function wp_generate_password( $length = 12, $special_chars = true, $extra_special_chars = false ) {
	$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
	if ( $special_chars ) {
		$chars .= '!@#$%^&*()';
	if ( $extra_special_chars ) {
		$chars .= '-_ []{}<>~`+=,.;:/?|';

	$password = '';
	for ( $i = 0; $i < $length; $i++ ) {
		$password .= substr( $chars, wp_rand( 0, strlen( $chars ) - 1 ), 1 );

	 * Filters the randomly-generated password.
	 * @since 3.0.0
	 * @since 5.3.0 Added the `$length`, `$special_chars`, and `$extra_special_chars` parameters.
	 * @param string $password            The generated password.
	 * @param int    $length              The length of password to generate.
	 * @param bool   $special_chars       Whether to include standard special characters.
	 * @param bool   $extra_special_chars Whether to include other special characters.
	return apply_filters( 'random_password', $password, $length, $special_chars, $extra_special_chars );


apply_filters( ‘random_password’, string $password, int $length, bool $special_chars, bool $extra_special_chars )

Filters the randomly-generated password.



User Contributed Notes

  1. Skip to note 9 content

    You can use the wp_generate_password() function to create a unique hash that can be added as a parameter to URLs. This is useful in scenarios such as cache busting (forcing the browser to re-fetch the page instead of using a cached version) or generating unique referral links.

    Here’s an example of how to implement this:

    $url = home_url( '/some-location' ); // Get some URL of your WordPress site
    $url = add_query_arg( array(
        '_some_param' => wp_generate_password( 32, false, false ) // Generate a unique hash
    ), $url );
    wp_safe_redirect( $url ); // Safely redirect to the new URL

    You can replace home_url() with any other URL you want to use as the base.

You must log in before being able to contribute a note or feedback.