wp_check_password()WP 2.5.0

Checks the plaintext password against the encrypted Password.

The $hash parameter is the encrypted password string (stored in the database), and the $password parameter is the plain text password. The function encodes the transmitted plaintext password and compares the resulting hash with the $hash if they match (coded according to the same principle) the function returns true.

For integration with other applications, this function can be overwritten to instead use the other package password checking algorithm.

Maintains compatibility between the old version and the new cookie authentication protocol using PHPass library.

Pluggable function — this function can be replaced from a plugin. It means that this function is defined (works) only after all plugins are loaded (included), but before this moment this function has not defined. Therefore, you cannot call this and all functions depended on this function directly from a plugin code. They need to be called on plugins_loaded hook or later, for example on init hook.

Function replacement (override) — in must-use or regular plugin you can create a function with the same name, then it will replace this function.

Uses: PasswordHash::CheckPassword()
1 time — 0.002451 sec (very slow) | 50000 times — 124.36 sec (extremely slow) | PHP 7.1.2, WP 4.7.5
Hooks from the function

Returns

true|false. False, if the $password does not match the hashed password.

Usage

wp_check_password(;

Examples

0

#1 Check the user password

Let's say we have a password in plain text and we need to find out whether this password is the password of the user with ID 3:

$user = get_userdata( 3 );
if( $user ){
	$password = 'my-super-pass';
	$hash     = $user->data->user_pass;
	if ( wp_check_password( $password, $hash ) )
	   echo 'This is the user password';
	else
	   echo 'Not his password.';
}

Notes

  • Global. PasswordHash. $wp_hasher phpass object. Used as a fallback for verifying passwords that were hashed with phpass.

Changelog

Since 2.5.0 Introduced.
Since 6.8.0 Passwords in WordPress are now hashed with bcrypt by default. A password that wasn't hashed with bcrypt will be checked with phpass.

wp_check_password() code WP 6.8.1

wp-includes/pluggable.php 
function wp_check_password(
	#[\SensitiveParameter]
	$password,
	$hash,
	$user_id = ''
) {
	global $wp_hasher;

	if ( strlen( $hash ) <= 32 ) {
		// Check the hash using md5 regardless of the current hashing mechanism.
		$check = hash_equals( $hash, md5( $password ) );
	} elseif ( ! empty( $wp_hasher ) ) {
		// Check the password using the overridden hasher.
		$check = $wp_hasher->CheckPassword( $password, $hash );
	} elseif ( strlen( $password ) > 4096 ) {
		// Passwords longer than 4096 characters are not supported.
		$check = false;
	} elseif ( str_starts_with( $hash, '$wp' ) ) {
		// Check the password using the current prefixed hash.
		$password_to_verify = base64_encode( hash_hmac( 'sha384', $password, 'wp-sha384', true ) );
		$check              = password_verify( $password_to_verify, substr( $hash, 3 ) );
	} elseif ( str_starts_with( $hash, '$P$' ) ) {
		// Check the password using phpass.
		require_once ABSPATH . WPINC . '/class-phpass.php';
		$check = ( new PasswordHash( 8, true ) )->CheckPassword( $password, $hash );
	} else {
		// Check the password using compat support for any non-prefixed hash.
		$check = password_verify( $password, $hash );
	}

	/**
	 * Filters whether the plaintext password matches the hashed password.
	 *
	 * @since 2.5.0
	 * @since 6.8.0 Passwords are now hashed with bcrypt by default.
	 *              Old passwords may still be hashed with phpass or md5.
	 *
	 * @param bool       $check    Whether the passwords match.
	 * @param string     $password The plaintext password.
	 * @param string     $hash     The hashed password.
	 * @param string|int $user_id  Optional ID of a user associated with the password.
	 *                             Can be empty.
	 */
	return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}

password

Site security (safety)

Login/Logout