With all of the talk of online security lately, a particular message in my inbox caught my attention:

I want know about WordPress’ password encryption method; is it possible to change or replace it with another encryption method like MD5?

This is a heavy question, and rather than giving a simple yes/no answer, I want to supply a bit of detail regarding WordPress and passwords.

Password Hashing

WordPress doesn’t ever store user passwords as plain text – I would highly suspect any that would.  This is the primary reason why, if you lose your password, you need to reset it rather than just have WordPress email your password to you.

Since WordPress doesn’t store your password, even if your database is hacked, the attacker won’t know what your original password was.  This is because the stored password is hashed.

When a password is supplied for authentication, the authentication will add a bit of “salt” to make the string much longer and more complex.  Then, it applies a cryptographic algorithm to the final string to create a one-way hash.

A specific plain text string will always generate the same hash. There is no way, however, to convert a given hash back to its plain text equivalent.

Different hashing algorithms have differing levels of security based on the relative sizes of the hash strings generated.  Some (like SHA-2) are widely accepted as being secure – meaning they haven’t been successfully exploited (yet).

Others (like MD5) have been broken for a while, are known to be insecure, and are generally frowned upon for use in securing applications.

WordPress’ Systems

WordPress stores its cryptographic salts (strings used to lengthen plain text strings before hashing) in the global wp-config.php file. These salts are unique for every installation and, if ever compromised, can be readily re-generated and replaced.

WordPress uses an open source library, the Portable PHP password hashing framework, to generate hashed strings using several available algorithms.

Once upon a time, WordPress used MD5 to hash stored passwords.  As the application has grown, we’ve replaced that method with a more secure Blowfish algorithm.

To prevent breaking backwards compatibility, MD5-hashed passwords stored in the database are still valid.  When a user logs in with such a password, WordPress detects MD5 was used, rehashes the password using the more secure method, and stores the new hash in the database.

Plugging Your Own

If for some reason you absolutely must implement your own hashing algorithm, WordPress makes it pretty eash.

Both wp_hash_password() and wp_check_password are part of WordPress’ pluggables file.  Simply define your own version of each function (i.e. in a plugin) and WordPress will use your version instead of the one that ships with core.

Just please please please do not replace these functions with a simple MD5 hash. MD5 is insecure (and many hackers likely have a rainbow table of potential passwords to use in an attack against your site already); WordPress moved away from it for a reason.

Send a Message