Password hashing/checking system in WP is pluggable, which essentially means that it is designed to be replaceable with custom implementation. This isn’t commonly done due to relying on defaults and compatibility. WP tries hard for backwards compat (such as with earliest single MD5 implementation) and portability (hashes from one WP install would work on another).
There are off–the–shelf solutions around that change hashing to a newer and more secure algorithms. At this time this is mostly considered password_hash()
in PHP, which is designed to be future–proof. Algorithm used and salts are embedded in resulting hash, so you can keep moving to stronger algorithms in future, while being able to transparently verify older hashes.
From quick search roots/wp-password-bcrypt is one of such implementations.
Related Posts:
- How to change user password with wp-cli?
- wordpress redirect after password reset
- Loosen/disable password policy
- Password Protect Custom Page
- How can I change the default wordpress password hashing system to something custom?
- If I change the salt keys in my wp-config will all passwords break?
- Conditional to test if post has password protection enabled
- Bypass password protected posts via GET variable
- Check the password of a user
- How to add Wp_error using lostpassword_post hook when validating custom field?
- Create a USERNAME and PASSWORD protected WordPress page
- Why do generated passwords start/end with spaces?
- Reseting admin password through PHPMyadmin fails
- Check Password Reset Key Not Woking
- Reset password – set minimum length for new password
- How to shorten length of auto generated password sent during registration?
- Forgot password not working
- wp_hash_password unexpected behaviour
- Password reset message – change the network_home_url( ‘/’ )
- Redirect a password protected page?
- Lost password link is redirecting to /shop/my-account/lost-password/
- WordPress: force users to change password on first login
- Change default recovery link expiration time
- Lost password link redirects to my-account/lost-password/,how to fix it back to default lost password
- Password protect custom template
- Set content type to HTML for lost password email only
- Custom password generator for users
- Password protecting template, secured content not showing if even password is right
- How validate usernames/passwords against WP’s database?
- Make post password required to publish
- WordPress reset password returns invalid key
- Password reset bug? – “Sorry, that key does not appear to be valid”
- How to set minimum length and error message for password recovery?
- Why is resetting the WordPress Users password not working?
- How Authentication in wordpress works? wp_authenticate_username_password()
- Password Protected page not asking for a password
- Password protection for page template
- Custom login form for front-end user as well as admin
- Password changed [duplicate]
- Enable Update button only when password is shown strong
- How to get user password before being encrypted outside the wordpress core once add a new user from dashboard?
- Adding parameters to password reset key
- wp_hash_password create a different hash everytime
- Custom password form allows unlock two posts with the same password
- How to change password
- Generating the password reset link automatically
- Password protect pages – allow more than one password
- Like to store multiple passwords in db table wp_posts field post_password?
- Send password to user instead of reset password link
- Custom form for password protected page
- How to check user’s password?
- What’s the algorithm to verify user password?
- Customize retrieve password message
- How to recover password from a user
- WordPress admin creation through phpmyadmin not working
- How to show my wordpress admin username & password?
- Can’t alter $lostpassword_url
- current user’s password check
- How to initiate password reset flow by code
- Change password fields
- lostpassword_redirect filter is not used
- Ask logged in user to re-enter password to access page “x”
- Password Protect or IP to access under development WordPress site otherwise shown a placeholder page
- Password-protected page redirecting to frontpage when I enter the password
- 2 accounts under same email preventing me from loging in
- wordpress custom password change problem
- Allow all reset password links within the past 24 hours to be valid and accepted
- Set id and password for each post
- I have to reset the admin password each time
- Create Member who can’t be changed
- Automatically change the page password for more than one page
- Sending Reset Password email via Web API
- I can’t recover my password
- $expiration_duration = apply_filters( ‘password_reset_expiration’, DAY_IN_SECONDS );
- Cannot get function.php code to work to remove Lost Password link on live site
- Entering a WP site with a SMS code
- Problem with login / reset password links in users emails
- How to set password from frontend if have activation key and user login in url in wordpress?
- Lost Password redirect to My Account
- Multiple pages protected by different passwords. Possible to track multiple passwords at a time?
- How do I display the password field on the WordPress user registration screen?
- Not able to log for the first time on a salted WordPress by creating pwd on BD
- Custom page password recovery
- Password Protected Logout Button Not Working
- Can I use core passworded page/post functions outside of wp-login.php?
- Is it possible to display newly generated password after wp_generate_password()?
- Password protect wp-login.php
- How do I password protect a page of posts on WordPress?
- Revise my keyword but still cannot login
- WordPress not taking password and username
- Is it possible to have users register without having a password?
- Password Protection for posts and pages [duplicate]
- How WordPress hashes passwords
- Reset Password – change from name and email address. It stucks at admin. Want to change it to info
- check if post is set to “password protected”
- Why can’t I create an Application Password?
- ‘random_password’ filters not taking effect
- FTP Password (not private key-value pair) for EC2 Instance
- How to Disable Pre-population of Password on Password Reset
- Bypass a WordPress Password Protected Page via url