WordPress at a glance

wp_check_password() WP 2.5.0

Checks the plaintext password against the encrypted Password.

The $hash parameter is the encrypted password string (stored in the database), and the $password parameter is the plain text password. The function encodes the transmitted plaintext password and compares the resulting hash with the $hash if they match (coded according to the same principle) the function returns true.

For integration with other applications, this function can be overwritten to instead use the other package password checking algorithm.

Maintains compatibility between the old version and the new cookie authentication protocol using PHPass library.

  • Global. PasswordHash. $wp_hasher PHPass object used for checking the password against the $hash + $password

This is a pluggable function, and it can be replaced from plugin. It means that this function is defined (works) only after all plugins are connected (included), but before this moment the function has not yet been defined... Therefore, you cannot call this and all functions depended on this function directly from a plugin code. It must be called via hook plugins_loaded or later, for example on hook init.

Function replacement (override) — in a plugin you can create a function with the same name, then it will replace this function.

✈ 1 time = 0.002451s = very slow | 50000 times = 124.36s = extreme slow PHP 7.1.2, WP 4.7.5

No Hooks.

Return

true/false. False, if the $password does not match the hashed password

Usage

wp_check_password( $password, $hash, $user_id );
$password(string) (required)
Plaintext user's password
$hash(string) (required)
Hash of the user's password to check against.
$user_id(string/int)
User ID.
Default: ''

Examples

#1 Check the user password

Let's say we have a password in plain text and we need to find out whether this password is the password of the user with ID 3:

$user = get_userdata( 3 );
if( $user ){
	$password = 'my-super-pass';
	$hash     = $user->data->user_pass;
	if ( wp_check_password( $password, $hash ) )
	   echo 'This is the user password';
	else
	   echo 'Not his password.';
}

Code of wp_check_password: wp-includes/pluggable.php VER 5.0.1

<?php
function wp_check_password($password, $hash, $user_id = '') {
	global $wp_hasher;

	// If the hash is still md5...
	if ( strlen($hash) <= 32 ) {
		$check = hash_equals( $hash, md5( $password ) );
		if ( $check && $user_id ) {
			// Rehash using new hash.
			wp_set_password($password, $user_id);
			$hash = wp_hash_password($password);
		}

		/**
		 * Filters whether the plaintext password matches the encrypted password.
		 *
		 * @since 2.5.0
		 *
		 * @param bool       $check    Whether the passwords match.
		 * @param string     $password The plaintext password.
		 * @param string     $hash     The hashed password.
		 * @param string|int $user_id  User ID. Can be empty.
		 */
		return apply_filters( 'check_password', $check, $password, $hash, $user_id );
	}

	// If the stored hash is longer than an MD5, presume the
	// new style phpass portable hash.
	if ( empty($wp_hasher) ) {
		require_once( ABSPATH . WPINC . '/class-phpass.php');
		// By default, use the portable hash from phpass
		$wp_hasher = new PasswordHash(8, true);
	}

	$check = $wp_hasher->CheckPassword($password, $hash);

	/** This filter is documented in wp-includes/pluggable.php */
	return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}

Related Functions

From tag: password

More from tag: Site security (safety)

More from category: Login/Logout

No comments
    Hello, !     Log In . Register