vladlu and Kama3 years ago2

wp_hash_password()WP 2.5.0

Encrypts the specified text to make a password hash from it.

Creates a hash from plain text. The hash is always unique, i.e. if the function is called 2 times, the results will be different. see example 1.

The function uses the PasswordHash class, which is located in /wp-includes/class-phpass.php. PasswordHash can be configured, see the example.

Pluggable function — this function can be replaced from a plugin. It means that this function is defined (works) only after all plugins are loaded (included), but before this moment this function has not defined. Therefore, you cannot call this and all functions depended on this function directly from a plugin code. They need to be called on plugins_loaded hook or later, for example on init hook.

Function replacement (override) — in must-use or regular plugin you can create a function with the same name, then it will replace this function.

Used By: wp_set_password()
1 time — 0.003847 sec (very slow) | 50000 times — 106.27 sec (extremely slow) | PHP 7.2.5, WP 4.9.8
Hooks from the function

Returns

String. The hash string of the password.

Usage

wp_hash_password(;

Examples

1

#1 Function operation example 

echo wp_hash_password( 'my_pass' ); //> $P$B1tp3GD53ykbIGC4hf84pvbEjSUloq.

// let's encrypt again in the same way
echo wp_hash_password( 'my_pass' ); //> $P$Bu3CWn/Y0zTG8IXJ8ee9yiT715tWxG/
0

#2 Set global variable $wp_hasher, to create a password with the required parameters: 

global $wp_hasher;
$wp_hasher = new PasswordHash( 16, FALSE );
$hashedPassword = wp_hash_password( $password );
-16

#3 Let's compare the encrypted password with not encrypted one 

$wp_hasher = new PasswordHash( 8, TRUE );

$password_hashed = '$P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/';
$plain_password  = 'test';

if( $wp_hasher->CheckPassword($plain_password, $password_hashed) ) {
	echo "The passwords match";
}
else {
	echo "The password is not correct";
}

Notes

  • Global. PasswordHash. $wp_hasher phpass object.

Changelog

Since 2.5.0 Introduced.
Since 6.8.0 The password is now hashed using bcrypt by default instead of phpass.

wp_hash_password() code WP 6.8.1

wp-includes/pluggable.php 
function wp_hash_password(
	#[\SensitiveParameter]
	$password
) {
	global $wp_hasher;

	if ( ! empty( $wp_hasher ) ) {
		return $wp_hasher->HashPassword( trim( $password ) );
	}

	if ( strlen( $password ) > 4096 ) {
		return '*';
	}

	/**
	 * Filters the hashing algorithm to use in the password_hash() and password_needs_rehash() functions.
	 *
	 * The default is the value of the `PASSWORD_BCRYPT` constant which means bcrypt is used.
	 *
	 * **Important:** The only password hashing algorithm that is guaranteed to be available across PHP
	 * installations is bcrypt. If you use any other algorithm you must make sure that it is available on
	 * the server. The `password_algos()` function can be used to check which hashing algorithms are available.
	 *
	 * The hashing options can be controlled via the {@see 'wp_hash_password_options'} filter.
	 *
	 * Other available constants include:
	 *
	 * - `PASSWORD_ARGON2I`
	 * - `PASSWORD_ARGON2ID`
	 * - `PASSWORD_DEFAULT`
	 *
	 * @since 6.8.0
	 *
	 * @param string $algorithm The hashing algorithm. Default is the value of the `PASSWORD_BCRYPT` constant.
	 */
	$algorithm = apply_filters( 'wp_hash_password_algorithm', PASSWORD_BCRYPT );

	/**
	 * Filters the options passed to the password_hash() and password_needs_rehash() functions.
	 *
	 * The default hashing algorithm is bcrypt, but this can be changed via the {@see 'wp_hash_password_algorithm'}
	 * filter. You must ensure that the options are appropriate for the algorithm in use.
	 *
	 * @since 6.8.0
	 *
	 * @param array $options    Array of options to pass to the password hashing functions.
	 *                          By default this is an empty array which means the default
	 *                          options will be used.
	 * @param string $algorithm The hashing algorithm in use.
	 */
	$options = apply_filters( 'wp_hash_password_options', array(), $algorithm );

	// Algorithms other than bcrypt don't need to use pre-hashing.
	if ( PASSWORD_BCRYPT !== $algorithm ) {
		return password_hash( $password, $algorithm, $options );
	}

	// Use SHA-384 to retain entropy from a password that's longer than 72 bytes, and a `wp-sha384` key for domain separation.
	$password_to_hash = base64_encode( hash_hmac( 'sha384', trim( $password ), 'wp-sha384', true ) );

	// Add a prefix to facilitate distinguishing vanilla bcrypt hashes.
	return '$wp' . password_hash( $password_to_hash, $algorithm, $options );
}

password

Site security (safety)

vladlu 100vlad.lu
Editors: Kama 449
2 comments
    Log In