PHPackages                             arraypress/wp-hash-utils - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. arraypress/wp-hash-utils

ActiveLibrary[Security](/categories/security)

arraypress/wp-hash-utils
========================

A lean WordPress library for hashing, password security, data integrity, and verification

110PHP

Since Nov 27Pushed 7mo agoCompare

[ Source](https://github.com/arraypress/wp-hash-utils)[ Packagist](https://packagist.org/packages/arraypress/wp-hash-utils)[ RSS](/packages/arraypress-wp-hash-utils/feed)WikiDiscussions main Synced today

READMEChangelogDependenciesVersions (1)Used By (0)

WordPress Hash Utils
====================

[](#wordpress-hash-utils)

A lean WordPress library for hashing, password security, data integrity, and verification.

Installation
------------

[](#installation)

```
composer require arraypress/wp-hash-utils
```

Quick Start
-----------

[](#quick-start)

```
use ArrayPress\HashUtils\Hash;

// Password security
$hashed = Hash::password( $password );
$valid  = Hash::verify_password( $password, $stored_hash );

// Data integrity
$hash      = Hash::data( [ 'user_id' => 123, 'action' => 'purchase' ] );
$file_hash = Hash::file( '/path/to/file.zip' );

// WordPress nonces
$nonce = Hash::nonce( 'delete_post_' . $post_id );
$valid = Hash::verify_nonce( $_POST['nonce'], 'delete_post_' . $post_id );

// HMAC authentication
$signature = Hash::hmac( $api_data, $secret_key );
$authentic = Hash::verify_hmac( $api_data, $signature, $secret_key );
```

API
---

[](#api)

### Salt

[](#salt)

#### `get_salt(): string`

[](#get_salt-string)

Get combined WordPress salts for hashing.

### Password

[](#password)

#### `password( string $password ): string`

[](#password-string-password--string)

Hash passwords securely using WordPress methods.

#### `verify_password( string $password, string $hash ): bool`

[](#verify_password-string-password-string-hash--bool)

Verify password against hash (timing-safe).

### Data

[](#data)

#### `data( mixed $data, string $algo = 'sha256', string $salt = '' ): ?string`

[](#data-mixed-data-string-algo--sha256-string-salt----string)

Hash any data (arrays, objects, strings). Uses WordPress salt by default. Returns null for invalid algorithms.

#### `file( string $path, string $algo = 'sha256' ): ?string`

[](#file-string-path-string-algo--sha256--string)

Hash file contents. Returns null if file doesn't exist or isn't readable.

#### `attachment( int $id, string $algo = 'sha256' ): ?string`

[](#attachment-int-id-string-algo--sha256--string)

Hash WordPress attachment file by ID.

#### `cache_key( mixed $data, string $prefix = '' ): string`

[](#cache_key-mixed-data-string-prefix----string)

Generate cache keys from data: `Hash::cache_key( $query, 'posts' )` → `"posts_a1b2c3d4"`

### Nonce

[](#nonce)

#### `nonce( string $action ): string`

[](#nonce-string-action--string)

Create WordPress nonce for action verification.

#### `verify_nonce( string $nonce, string $action ): bool`

[](#verify_nonce-string-nonce-string-action--bool)

Verify WordPress nonce. Returns false for invalid/expired nonces.

### HMAC

[](#hmac)

#### `hmac( mixed $data, string $key = '', string $algo = 'sha256' ): ?string`

[](#hmac-mixed-data-string-key---string-algo--sha256--string)

Generate HMAC for message authentication. Uses WordPress salt if key is empty.

#### `verify_hmac( mixed $data, string $expected, string $key = '', string $algo = 'sha256' ): bool`

[](#verify_hmac-mixed-data-string-expected-string-key---string-algo--sha256--bool)

Verify HMAC (timing-safe comparison).

Common Use Cases
----------------

[](#common-use-cases)

```
// User authentication
$hashed = Hash::password( $user_password );
$valid  = Hash::verify_password( $input_password, $stored_hash );

// Form security
$nonce = Hash::nonce( 'update_profile' );
if ( Hash::verify_nonce( $_POST['nonce'], 'update_profile' ) ) {
    // Process form
}

// File integrity
$hash = Hash::file( $uploaded_file );
update_post_meta( $attachment_id, 'file_hash', $hash );

// API security
$signature = Hash::hmac( $request_data, $api_secret );
$headers   = [ 'X-Signature' => $signature ];

// Caching
$cache_key = Hash::cache_key( $complex_query_data, 'results' );
$cached    = get_transient( $cache_key );
```

Security Best Practices
-----------------------

[](#security-best-practices)

```
// ✅ Always verify nonces for sensitive actions
if ( ! Hash::verify_nonce( $_POST['nonce'], 'delete_post' ) ) {
    wp_die( 'Security check failed' );
}

// ✅ Use verify_hmac() for timing-safe comparisons
$valid = Hash::verify_hmac( $data, $signature, $key );

// ❌ Never use == for signature comparison (timing attack risk)
// if ( Hash::hmac( $data, $key ) == $signature ) { }
```

Supported Algorithms
--------------------

[](#supported-algorithms)

- **SHA-256** (default, recommended)
- **SHA-1**, **MD5** (legacy support)
- **SHA-512** (high security)
- All PHP `hash_algos()` supported

Requirements
------------

[](#requirements)

- PHP 7.4+
- WordPress 5.0+

License
-------

[](#license)

GPL-2.0-or-later

###  Health Score

18

—

LowBetter than 8% of packages

Maintenance45

Moderate activity, may be stable

Popularity7

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity13

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

### Community

Maintainers

![](https://www.gravatar.com/avatar/cd6eb8aff0903d87eb674d1ba3c5f3653899c0d7661504eb0deb7798ed86b643?d=identicon)[arraypress](/maintainers/arraypress)

---

Top Contributors

[![arraypress](https://avatars.githubusercontent.com/u/22668877?v=4)](https://github.com/arraypress "arraypress (2 commits)")

### Embed Badge

![Health badge](/badges/arraypress-wp-hash-utils/health.svg)

```
[![Health](https://phpackages.com/badges/arraypress-wp-hash-utils/health.svg)](https://phpackages.com/packages/arraypress-wp-hash-utils)
```

###  Alternatives

[mews/purifier

Laravel 5/6/7/8/9/10 HtmlPurifier Package

2.0k18.7M143](/packages/mews-purifier)[paragonie/ecc

PHP Elliptic Curve Cryptography library

24820.0k38](/packages/paragonie-ecc)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
