WordPress Hash Passwords: How Does It Work?

The popularity of WordPress as a Content Management System (CMS) continues to soar, with around 40% of website owners choosing it as their platform. However, there are some who question the security of WordPress, particularly when it comes to hashing users’ passwords. In this article, we will explore the mechanism behind WordPress’s password hashing and address any concerns.

What is Hashing?

As a website owner, protecting your users’ data from hackers is paramount. Storing passwords securely is a crucial part of this process. Hashing, a cryptographic function, is used to transform plain text passwords into scrambled strings of letters and numbers called hashes.

When a user sets a password, WordPress passes it through a hashing function before storing the resulting hash in the database. During login attempts, the entered password undergoes the same hashing process and is compared to the stored hash in the database. If they match, the user is granted access; otherwise, an error message is displayed.

The Strength of WordPress’s Hashing Mechanism

One-way function is a defining characteristic of hashing, making it theoretically impossible to reverse the process and retrieve the original password from the hash. However, not all hashing algorithms offer the same level of security.

Researcher Jeremi Gosney conducted experiments on different hashing algorithms to test their vulnerability to brute-force attacks. In his tests, Gosney discovered that the MD5 algorithm could be cracked in approximately 9 hours, while SHA1 took about 27 hours. On the other hand, the bcrypt algorithm would take around 2,700 years to crack.

Surprisingly, WordPress initially used MD5 for its password hashing. However, since the release of WordPress 2.5 in 2008, it has incorporated PHPass, a framework that supports multiple hashing algorithms, including bcrypt. Although WordPress still operates on MD5, PHPass adds cryptographic salts, performs eight passes of MD5-based hashing, and employs stretching techniques to enhance security. Thus, brute-force attacks against WordPress’s hashing mechanism are currently impractical.

Why Does WordPress Continue to Use MD5?

Despite the availability of more secure algorithms like bcrypt, WordPress has not made changes to its hashing mechanism. The reluctance to switch primarily stems from backward compatibility. WordPress aims to run on various hosting platforms, including outdated ones. Therefore, altering the hashing mechanism could potentially impact a significant number of projects, compromising security.

However, for website owners who prioritize security, there are alternatives available. You can use plugins that allow you to replace WordPress’s MD5-based hashing with bcrypt. These plugins can be found in the official WordPress plugin directory, ensuring a simple and efficient transition.

Change Your WordPress Website’s Hashing Algorithm With a Plugin

Thanks to WordPress’s modular architecture, changing the password storage system is straightforward. Several plugins are designed to facilitate the switch from MD5 to bcrypt without requiring users to reset their passwords. Roots.io also offers a plugin that enables the use of bcrypt, albeit through a different installation process.

By downloading the plugin from GitHub, creating a new directory inside the wp-content folder, and uploading the wp-password-bcrypt.php file, you can implement a stronger hashing algorithm for your WordPress website.

Conclusion

While WordPress’s current password storage system is based on MD5, which is considered less secure, it still provides adequate security for websites and their visitors. WordPress’s flexibility allows you to easily switch to a more sophisticated password hashing algorithm using plugins. Ultimately, WordPress remains the most popular CMS due to its versatility, ease of use, and the ability to adapt to various hosting platforms.