Did you know that WordPress accepts md5 but uses its own encryption for passwords?

WordPress has two ways of validating passwords when logging in. It supports MD5 and its own encryption.

Yes, you can insert md5 password direct in database and it will understand. But when you use an md5 password it will automatically authenticate and update you password to the most recent encryption.

In version 2.5.0 released on March 27, 2008 was created responsible class for the new encryption, called PasswordHash using phpass package by solar at openwall.com.

With new implementation of class and to continue supporting the old authentication form using md5 the wp_check_password method was created to identify the two types of passwords.

This is the method that does the validation with md5 or goes to the modern method.

function wp_check_password( $password, $hash, $user_id = '' ) {

   global $wp_hasher;

   // If the hash is still md5...
   if ( strlen( $hash ) <= 32 ) {
      $check = hash_equals( $hash, md5( $password ) );
      if ( $check && $user_id ) {
         // Rehash using new hash.
         wp_set_password( $password, $user_id );
         $hash = wp_hash_password( $password );

      return apply_filters( 'check_password', $check, $password, $hash, $user_id );

   if ( empty( $wp_hasher ) ) {
      // By default, use the portable hash from phpass
      $wp_hasher = new PasswordHash( 8, true );

   $check = $wp_hasher->CheckPassword( $password, $hash );

   /** This filter is documented in wp-includes/pluggable.php */
   return apply_filters( 'check_password', $check, $password, $hash, $user_id );

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top