I *think* wget only reads the wgetrc file once. So, provided you are
using bash (you are) and run it on a OS with support for reading a fd
from a path in /proc (which is also most likely) then you can replace
the wgetrc with a script, which presumably can determine if it's safe to
decrypt the secret and retrieve the password from secure storage.
$ cat script.sh
#!/bin/sh
echo http-user=user
echo http-password=$(pwgen 43 1)
And then we can run:
WGETRC=<(./script.sh) wget -d http://www.secretsite.net
which would provide a different password for accesing the site on each run.