PHPackages jazzman/wp-password-argon - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. jazzman/wp-password-argon ActiveWordpress-muplugin[Authentication & Authorization](/categories/authentication) jazzman/wp-password-argon ========================= Securely store WordPress user passwords in database with Argon2i hashing and SHA-512 HMAC using PHP's native functions. 0.2.0(6mo ago)0545MITPHPPHP ^7.4|^8.1 Since Oct 30Pushed 6mo ago1 watchersCompare [ Source](https://github.com/Jazz-Man/wp-password-argon)[ Packagist](https://packagist.org/packages/jazzman/wp-password-argon)[ RSS](/packages/jazzman-wp-password-argon/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (2)Dependencies (7)Versions (4)Used By (0) WP Password Argon ================= [](#wp-password-argon) > Enhance WordPress security by replacing outdated MD5 password hashing with modern Argon2i encryption [![PHP Version](https://camo.githubusercontent.com/e600e1aab79d5f29ba23af9121839f8f2c0594dcd786b716e1f3a573ab6984cd/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d372e34253242253230253743253230382e312532422d3737374242343f6c6f676f3d706870266c6f676f436f6c6f723d7768697465)](https://www.php.net/)[![WordPress](https://camo.githubusercontent.com/707743992c4b83b4f666d4de3d6de7fc4d2c33a2c5a6a39b0ed2613668003773/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f576f726450726573732d352e322532422d3231373539423f6c6f676f3d776f72647072657373266c6f676f436f6c6f723d7768697465)](https://wordpress.org/)[![License](https://camo.githubusercontent.com/784362b26e4b3546254f1893e778ba64616e362bd6ac791991d2c9e880a3a64e/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542d677265656e2e737667)](LICENSE)[![Composer](https://camo.githubusercontent.com/61792526ba9812584a6c4d82846fae960b2371a2e30265d1d132717726e30fbd/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f436f6d706f7365722d5061636b6167652d3838353633303f6c6f676f3d636f6d706f736572266c6f676f436f6c6f723d7768697465)](https://packagist.org/packages/jazzman/wp-password-argon) The Problem ----------- [](#the-problem) WordPress still uses **MD5-based password hashing** (via PHPass), an algorithm from 2001 that's considered weak by modern security standards. While adequate for its time, MD5 is vulnerable to: - ⚠️ Brute force attacks (fast to compute) - ⚠️ Rainbow table attacks - ⚠️ GPU-accelerated cracking The Solution ------------ [](#the-solution) This must-use plugin replaces WordPress's password hashing system with: - ✅ **Argon2i** - Winner of Password Hashing Competition (2015) - ✅ **SHA-512 HMAC** - Additional layer of protection - ✅ **Automatic migration** - Rehashes old passwords on login - ✅ **Zero configuration** - Drop in and forget - ✅ **Backward compatible** - Works with existing WordPress user system Key Features ------------ [](#key-features) ### 🔐 Modern Cryptography [](#-modern-cryptography) - **Argon2i algorithm** - Memory-hard hashing designed to resist GPU attacks - **SHA-512 HMAC** - Adds salt-based message authentication - **Native PHP functions** - No external dependencies, uses PHP's `password_hash()` ### 🔄 Seamless Migration [](#-seamless-migration) - Automatically detects old MD5 hashes - Rehashes passwords when users login - No manual migration needed - Maintains backward compatibility during transition ### 🎯 Drop-in Replacement [](#-drop-in-replacement) - Overrides core WordPress functions: `wp_hash_password()`, `wp_check_password()`, `wp_set_password()` - Works as **must-use plugin** (loads before regular plugins) - Supports Application Passwords (WordPress 5.6+) - No configuration required ### ⚡ Performance [](#-performance) - Minimal overhead compared to MD5 - Argon2i parameters can be customized via filter - Efficient rehashing on authentication Installation ------------ [](#installation) ### Via Composer (Recommended) [](#via-composer-recommended) ``` composer require jazzman/wp-password-argon ``` The package installs automatically to `wp-content/mu-plugins/wp-password-argon/` via Composer Installers. ### Manual Installation [](#manual-installation) 1. Download the latest release 2. Upload to `wp-content/mu-plugins/wp-password-argon/` 3. That's it! No activation needed (must-use plugins auto-load) How It Works ------------ [](#how-it-works) ### Password Hashing Flow [](#password-hashing-flow) ``` User enters password ↓ SHA-512 HMAC with WordPress salt ↓ Argon2i hashing with memory cost ↓ Stored in database ``` ### Authentication Flow [](#authentication-flow) ``` User login attempt ↓ Check if password uses Argon2i ↓ ├─ Yes → Verify with password_verify() └─ No (old MD5) → Verify with PHPass → Rehash with Argon2i → Update database ``` Configuration ------------- [](#configuration) The plugin works out-of-the-box with secure defaults. To customize Argon2i parameters: ``` add_filter('wp_hash_password_options', function() { return [ 'memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST, 'time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST, 'threads' => PASSWORD_ARGON2_DEFAULT_THREADS, ]; }); ``` Security Benefits ----------------- [](#security-benefits) AspectMD5 (WordPress default)Argon2i (This plugin)**Algorithm Age**1992 (33 years old)2015 (10 years old, current best practice)**Cracking Speed**Very fastSlow (memory-hard)**GPU Resistance**❌ Weak✅ Strong**Rainbow Tables**❌ Vulnerable✅ Resistant**OWASP Recommended**❌ No✅ YesRequirements ------------ [](#requirements) - **PHP**: 7.4+ or 8.1+ (PHP 8+ recommended) - **WordPress**: 5.2+ - **PHP Extensions**: - `sodium` (usually bundled with PHP 7.2+) - No additional extensions needed Under The Hood -------------- [](#under-the-hood) ### Quality Tooling [](#quality-tooling) This package maintains high code quality standards: ``` # Static Analysis composer phpstan # PHPStan max level composer psalm # Psalm strict mode # Code Style composer cs-check # Check PSR-12 compliance composer cs-fix # Auto-fix code style # Baseline Management composer update-baseline # Update analysis baselines ``` ### Tech Stack [](#tech-stack) - **Static Analysis**: PHPStan (max level), Psalm - **Code Style**: PHP CS Fixer with custom rules (`jazzman/php-cs-fixer-rules`) - **Security Auditing**: Roave Security Advisories - **Type Safety**: WordPress stubs for IDE support ### Package Configuration [](#package-configuration) - **Type**: `wordpress-muplugin` (auto-installs to mu-plugins) - **License**: MIT - **Optimizations**: APCu autoloader, optimized autoloader, authoritative classmap FAQ --- [](#faq) **Q: Will this break my existing WordPress site?** A: No. The plugin is backward compatible. Old passwords work during the transition period and are automatically upgraded on user login. **Q: What happens if I remove the plugin?** A: Users with Argon2i passwords won't be able to login. Recommendation: Keep the plugin installed once deployed. **Q: Does this work with multisite?** A: Yes. Install as network-wide must-use plugin. **Q: Performance impact?** A: Minimal. Argon2i is slightly slower than MD5, but this is intentional (security vs. speed trade-off). Typical impact: <100ms per authentication. **Q: Can I migrate back to MD5?** A: Technically possible but **strongly discouraged** for security reasons. Once passwords are hashed with Argon2i, they should stay that way. Why This Matters ---------------- [](#why-this-matters) **Real-world impact:** - WordPress powers 43% of the web - Over 455 million websites use WordPress - Default MD5 hashing leaves millions of sites vulnerable - This plugin provides enterprise-grade security with zero effort **Recommended by:** - ✅ OWASP (Open Web Application Security Project) - ✅ NIST (National Institute of Standards and Technology) - ✅ PHP Security Best Practices Related Packages ---------------- [](#related-packages) Part of the **jazzman WordPress ecosystem**: - [`jazzman/wp-performance`](https://github.com/Jazz-Man/wp-performance) - Performance & security optimizations - [`jazzman/wp-object-cache`](https://github.com/Jazz-Man/wp-object-cache) - PSR-16 object caching - [`jazzman/wp-nav-menu-cache`](https://github.com/Jazz-Man/wp-nav-menu-cache) - Navigation menu caching License ------- [](#license) MIT License - see [LICENSE](LICENSE) file for details. Author ------ [](#author) **Vasyl Sokolyk** - GitHub: [@Jazz-Man](https://github.com/Jazz-Man) - LinkedIn: [vasyl5](https://www.linkedin.com/in/vasyl5/) --- Support & Contributing -------------------------- [](#support--contributing) Found a bug? Have a feature request? Open an issue on GitHub. **Security vulnerabilities**: Please email directly rather than opening a public issue. --- **⭐ If this plugin improved your WordPress security, please star the repo!** ### Health Score 37 — LowBetter than 82% of packages Maintenance70 Regular maintenance activity Popularity13 Limited adoption so far Community7 Small or concentrated contributor base Maturity47 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1088 days Total 2 Last Release 197d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/bde0917196a65a6134bf7aa9d1b3969ae4ef3b92907662fdf68070d033de6843?d=identicon)[Jazz-Man](/maintainers/Jazz-Man) --- Top Contributors [![Jazz-Man](https://avatars.githubusercontent.com/u/6892898?v=4)](https://github.com/Jazz-Man "Jazz-Man (4 commits)") --- Tags argon2argon2iauthenticationcomposer-packagecryptographypassword-hashingphpsecuritywordpresswordpress-mupluginwordpress-pluginwordpress-security ### Embed Badge ![Health badge](/badges/jazzman-wp-password-argon/health.svg) ``` [![Health](https://phpackages.com/badges/jazzman-wp-password-argon/health.svg)](https://phpackages.com/packages/jazzman-wp-password-argon) ``` ### Alternatives [markstory/acl_extras Additional tools for managing DB ACL in CakePHP applications. 155311.0k](/packages/markstory-acl-extras)[rainlab/user-plugin User plugin for October CMS 11954.3k12](/packages/rainlab-user-plugin)[stuttter/wp-user-signups The best way to manage user & site sign-ups in WordPress 46208.9k3](/packages/stuttter-wp-user-signups)[winter/wn-user-plugin User plugin for Winter CMS 1233.5k13](/packages/winter-wn-user-plugin)[rainlab/userplus-plugin User plus plugin for October CMS 168.8k1](/packages/rainlab-userplus-plugin) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)