WordPress is dedicated to user security and employs a specific hashing system to secure user passwords. This system is called ‘hashing’ and it transforms a plain text password into an undecipherable string, making it extremely hard to reverse-engineer.
WordPress uses a variant of the MD5 hasher known as ‘Portable PHP password hashing framework’ or ‘phpass’. This hasher adds complexity to the MD5 hashing function through ‘salting’ and ‘stretching’.
‘Salting’ is a process that involves combining a unique value, called a salt, with the user password before it is hashed. WordPress defines unique salt values in your wp-config.php file for various operations.
‘Stretching’ is a process that involves running the hashing function multiple times (thousands, in WordPress’s case) to further obfuscate the hash and drastically slow down any brute-force attempts to crack it.
When a user password is stored in WordPress, the password is salted, hashed, and the resulting hash is stored. When a user attempts to log in, the entered password is treated the same way and the hashes are compared to validate the credentials.
WordPress provides a built-in function wp_hash_password() for handling password hashing, and this should be used whenever dealing with user passwords in your plugins or themes.