I *think* wget only reads the wgetrc file once. So, provided you are
using bash (you are) and run it on a OS with support for reading a
fd from a path in /proc (which is also most likely) then you can
replace the wgetrc with a script, which presumably can determine if
it's safe to decrypt the secret and retrieve the password from
secure storage.
$ cat script.sh
#!/bin/sh
echo http-user=user
echo http-password=$(pwgen 43 1)
And then we can run:
WGETRC=<(./script.sh) wget -d http://www.secretsite.net
which would provide a different password for accesing the site on each run.