What Type of Hash Does WordPress Use?

WordPress is dedicated to user security and employs a specific hashing system to secure user passwords. This system is called ‘hashing’ and it transforms a plain text password into an undecipherable string, making it extremely hard to reverse-engineer.

WordPress uses a variant of the MD5 hasher known as ‘Portable PHP password hashing framework’ or ‘phpass’. This hasher adds complexity to the MD5 hashing function through ‘salting’ and ‘stretching’.

‘Salting’ is a process that involves combining a unique value, called a salt, with the user password before it is hashed. WordPress defines unique salt values in your wp-config.php file for various operations.

‘Stretching’ is a process that involves running the hashing function multiple times (thousands, in WordPress’s case) to further obfuscate the hash and drastically slow down any brute-force attempts to crack it.

When a user password is stored in WordPress, the password is salted, hashed, and the resulting hash is stored. When a user attempts to log in, the entered password is treated the same way and the hashes are compared to validate the credentials.

WordPress provides a built-in function wp_hash_password() for handling password hashing, and this should be used whenever dealing with user passwords in your plugins or themes.

Leave a Comment