WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

wp_hash_password()

wp_hash_password( string $password ): string

In this article

Back to top

Creates a hash of a plain text password.

Description

For integration with other applications, this function can be overwritten to instead use the other package password hashing algorithm.

Parameters

$passwordstringrequired
Plain text user password to hash.

Return

string The hash string of the password.

More Information

This function can be replaced via plugins. If plugins do not redefine these functions, then this will be used instead.

Creates a hash of a plain text password. Unless the global $wp_hasher is set, the default implementation uses PasswordHash, which adds salt to the password and hashes it with 2**8 = 256 passes of MD5. MD5 is used by default because it’s supported on all platforms. You can configure PasswordHash to use Blowfish or extended DES (if available) instead of MD5 with the $portable_hashes constructor argument or property (see examples).

Source

function wp_hash_password(
	#[\SensitiveParameter]
	$password
) {
	global $wp_hasher;

	if ( ! empty( $wp_hasher ) ) {
		return $wp_hasher->HashPassword( trim( $password ) );
	}

	if ( strlen( $password ) > 4096 ) {
		return '*';
	}

	/**
	 * Filters the hashing algorithm to use in the password_hash() and password_needs_rehash() functions.
	 *
	 * The default is the value of the `PASSWORD_BCRYPT` constant which means bcrypt is used.
	 *
	 * **Important:** The only password hashing algorithm that is guaranteed to be available across PHP
	 * installations is bcrypt. If you use any other algorithm you must make sure that it is available on
	 * the server. The `password_algos()` function can be used to check which hashing algorithms are available.
	 *
	 * The hashing options can be controlled via the 'wp_hash_password_options' filter.
	 *
	 * Other available constants include:
	 *
	 * - `PASSWORD_ARGON2I`
	 * - `PASSWORD_ARGON2ID`
	 * - `PASSWORD_DEFAULT`
	 *
	 * @since 6.8.0
	 *
	 * @param string $algorithm The hashing algorithm. Default is the value of the `PASSWORD_BCRYPT` constant.
	 */
	$algorithm = apply_filters( 'wp_hash_password_algorithm', PASSWORD_BCRYPT );

	/**
	 * Filters the options passed to the password_hash() and password_needs_rehash() functions.
	 *
	 * The default hashing algorithm is bcrypt, but this can be changed via the 'wp_hash_password_algorithm'
	 * filter. You must ensure that the options are appropriate for the algorithm in use.
	 *
	 * @since 6.8.0
	 *
	 * @param array $options    Array of options to pass to the password hashing functions.
	 *                          By default this is an empty array which means the default
	 *                          options will be used.
	 * @param string $algorithm The hashing algorithm in use.
	 */
	$options = apply_filters( 'wp_hash_password_options', array(), $algorithm );

	// Algorithms other than bcrypt don't need to use pre-hashing.
	if ( PASSWORD_BCRYPT !== $algorithm ) {
		return password_hash( $password, $algorithm, $options );
	}

	// Use SHA-384 to retain entropy from a password that's longer than 72 bytes, and a `wp-sha384` key for domain separation.
	$password_to_hash = base64_encode( hash_hmac( 'sha384', trim( $password ), 'wp-sha384', true ) );

	// Add a prefix to facilitate distinguishing vanilla bcrypt hashes.
	return '$wp' . password_hash( $password_to_hash, $algorithm, $options );
}

View all references View on Trac View on GitHub

Hooks

apply_filters( ‘wp_hash_password_algorithm’, string $algorithm )

Filters the hashing algorithm to use in the password_hash() and password_needs_rehash() functions.

apply_filters( ‘wp_hash_password_options’, array $options, string $algorithm )

Filters the options passed to the password_hash() and password_needs_rehash() functions.

UsesDescription
apply_filters()wp-includes/plugin.php

Calls the callback functions that have been added to a filter hook.

Used byDescription
wp_set_password()wp-includes/pluggable.php

Updates the user’s password with a new hashed one.

wp_update_user()wp-includes/user.php

Updates a user in the database.

wp_insert_user()wp-includes/user.php

Inserts a user into the database.

Changelog

VersionDescription
6.8.0The password is now hashed using bcrypt by default instead of phpass.
2.5.0Introduced.

User Contributed Notes

  1. Skip to note 3 content
    Codex
    You must log in to vote on the helpfulness of this noteVote results for this note: 1You must log in to vote on the helpfulness of this note

    Compare an already hashed password with its plain-text string:

    <?php
$wp_hasher = new PasswordHash(8, TRUE);

$password_hashed = '$P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/';
$plain_password = 'test';

if($wp_hasher->CheckPassword($plain_password, $password_hashed)) {
    echo "YES, Matched";
} else {
    echo "No, Wrong Password";
}
?>

You must log in before being able to contribute a note or feedback.