diff --git a/generate-env-secrets.sh b/generate-env-secrets.sh
new file mode 100755
index 0000000..cf74048
--- /dev/null
+++ b/generate-env-secrets.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+# Generate secure passwords and WordPress salts for .env.prod
+# Usage: ./generate-env-secrets.sh [project-name] [domain]
+# Example: ./generate-env-secrets.sh php-wp-ch_hair_select hair-sct.ch
+
+set -e
+
+PROJECT_NAME="${1:-php-wp-example}"
+DOMAIN="${2:-example.com}"
+TABLE_PREFIX="${3:-wp_}"
+
+# Generate random passwords
+DB_ROOT_PASSWORD=$(openssl rand -base64 32)
+DB_PASSWORD=$(openssl rand -base64 32)
+FTP_PASSWORD=$(openssl rand -base64 24)
+
+# Fetch WordPress salts from official API
+echo "Fetching WordPress salts from api.wordpress.org..."
+SALTS=$(curl -s https://api.wordpress.org/secret-key/1.1/salt/)
+
+# Extract individual salt values and escape for shell
+extract_salt() {
+    echo "$SALTS" | grep "define('$1'" | sed "s/define('$1', *'//" | sed "s/');$//" | sed "s/\\\$/\\\\\$/g" | sed "s/\`/\\\\\`/g"
+}
+
+AUTH_KEY=$(extract_salt "AUTH_KEY")
+SECURE_AUTH_KEY=$(extract_salt "SECURE_AUTH_KEY")
+LOGGED_IN_KEY=$(extract_salt "LOGGED_IN_KEY")
+NONCE_KEY=$(extract_salt "NONCE_KEY")
+AUTH_SALT=$(extract_salt "AUTH_SALT")
+SECURE_AUTH_SALT=$(extract_salt "SECURE_AUTH_SALT")
+LOGGED_IN_SALT=$(extract_salt "LOGGED_IN_SALT")
+NONCE_SALT=$(extract_salt "NONCE_SALT")
+
+# Write .env.prod
+cat > .env.prod << EOF
+REVERSE_DOMAIN=${PROJECT_NAME}
+DB_ROOT_PASSWORD=${DB_ROOT_PASSWORD}
+DB_NAME=${PROJECT_NAME}-db_name
+DB_USER=${PROJECT_NAME}-db_user
+DB_PASSWORD=${DB_PASSWORD}
+APPLICATION_DOMAIN_NAME=${DOMAIN}
+DOCKER_IMAGE=wordpress
+DOCKER_IMAGE_TAG=latest
+AUTH_KEY="'${AUTH_KEY}'"
+SECURE_AUTH_KEY="'${SECURE_AUTH_KEY}'"
+LOGGED_IN_KEY="'${LOGGED_IN_KEY}'"
+NONCE_KEY="'${NONCE_KEY}'"
+AUTH_SALT="'${AUTH_SALT}'"
+SECURE_AUTH_SALT="'${SECURE_AUTH_SALT}'"
+LOGGED_IN_SALT="'${LOGGED_IN_SALT}'"
+NONCE_SALT="'${NONCE_SALT}'"
+TABLE_PREFIX=${TABLE_PREFIX}
+
+WP_DEBUG=1
+WP_DEBUG_LOG=1
+WP_DEBUG_DISPLAY=false
+DISABLE_WP_CRON=true
+
+FTP_USERNAME=admin
+FTP_PASSWORD=${FTP_PASSWORD}
+EOF
+
+echo "Generated .env.prod for ${PROJECT_NAME} (${DOMAIN})"
+echo "Remember to update TABLE_PREFIX if migrating existing database!"