PHPackages onepress/wp-password-bcrypt - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. onepress/wp-password-bcrypt ActiveLibrary[Security](/categories/security) onepress/wp-password-bcrypt =========================== WordPress plugin which replaces wp\_hash\_password and wp\_check\_password's phpass hasher with PHP 5.5's password\_hash and password\_verify using bcrypt. v1.0.0(2y ago)016MITPHPPHP >=5.6.0 Since May 3Pushed 2y ago1 watchersCompare [ Source](https://github.com/oneweb-vn/wp-password-bcrypt)[ Packagist](https://packagist.org/packages/onepress/wp-password-bcrypt)[ RSS](/packages/onepress-wp-password-bcrypt/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (1)Dependencies (6)Versions (2)Used By (0) **Drop-in bcrypt password hashing for WordPress** Built with ❤️ Supporting ---------- [](#supporting) **wp-password-bcrypt** is an open source project and completely free to use. Overview -------- [](#overview) wp-password-bcrypt is a WordPress plugin to replace WP's outdated and insecure MD5-based password hashing with the modern and secure [bcrypt](https://en.wikipedia.org/wiki/Bcrypt). This plugin requires PHP >= 5.5.0 which introduced the built-in [`password_hash`](http://php.net/manual/en/function.password-hash.php) and [`password_verify`](http://php.net/manual/en/function.password-verify.php) functions. Requirements ------------ [](#requirements) - PHP >= 5.5.0 - WordPress >= 4.4 (see ) Installation ------------ [](#installation) This plugin is a Composer library so it can be installed in a few ways: #### Composer Autoloaded [](#composer-autoloaded) `composer require onepress/wp-password-bcrypt` `wp-password-bcrypt.php` file will be automatically autoloaded by Composer and it *won't* appear in your plugins. #### Manually as a must-use plugin [](#manually-as-a-must-use-plugin) If you don't use Composer, you can manually copy `wp-password-bcrypt.php` into your `mu-plugins` folder. We **do not** recommend using this as a normal (non-mu) plugin. It makes it too easy to disable or remove the plugin. The Problem ----------- [](#the-problem) WordPress still uses an MD5 based password hashing scheme. They are effectively making 25% of websites more insecure because they refuse to bump their minimum PHP requirements. By continuing to allow EOL PHP versions back to 5.2, they can't use newer functions like `password_hash`. This is a [known](https://core.trac.wordpress.org/ticket/21022) problem which WordPress has ignored for over 4 years now. Not only does WordPress set the insecure default of MD5, they don't do any of the following: - document this issue - provide instructions on how to fix it and make it more secure - notify users on newer PHP versions that they *could* be more secure What's wrong with MD5? Really simply: it's too cheap and fast to generate cryptographically secure hashes. The Solution ------------ [](#the-solution) WordPress did at least one good thing: they made `wp_check_password` and `wp_hash_password` [pluggable](https://codex.wordpress.org/Pluggable_Functions) functions. This means we can define these functions in a plugin and "override" the default ones. This plugin plugs in 3 functions: - `wp_check_password` - `wp_hash_password` - `wp_set_password` #### `wp_hash_password` [](#wp_hash_password) This function is the simplest. This plugin simply calls `password_hash` instead of WP's default password hasher. The `wp_hash_password_options` filter is available to set the [options](http://php.net/manual/en/function.password-hash.php) that `password_hash` can accept. #### `wp_check_password` [](#wp_check_password) At its core, this function just calls `password_verify` instead of the default. However, it also checks if a user's password was *previously* hashed with the old MD5-based hasher and re-hashes it with bcrypt. This means you can still install this plugin on an existing site and everything will work seamlessly. The `check_password` filter is available just like the default WP function. #### `wp_set_password` [](#wp_set_password) This function is included here verbatim but with the addition of returning the hash. The default WP function does not return anything which means you end up hashing it twice for no reason. ### Health Score 19 — LowBetter than 10% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity6 Limited adoption so far Community7 Small or concentrated contributor base Maturity36 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 745d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/16c7b298273d76cebe4c4f544524e5789347abc5b0bb46fe7f491f60c38442f8?d=identicon)[onepress](/maintainers/onepress) --- Top Contributors [![onetechco](https://avatars.githubusercontent.com/u/78303085?v=4)](https://github.com/onetechco "onetechco (1 commits)") --- Tags wordpresspasswordsbcrypt ### Code Quality TestsPHPUnit Code StylePHP\_CodeSniffer ### Embed Badge ![Health badge](/badges/onepress-wp-password-bcrypt/health.svg) ``` [![Health](https://phpackages.com/badges/onepress-wp-password-bcrypt/health.svg)](https://phpackages.com/packages/onepress-wp-password-bcrypt) ``` ### Alternatives [jeremykendall/password-validator Password Validator validates password\_hash generated passwords, rehashes passwords as necessary, and will upgrade legacy passwords. 14469.9k3](/packages/jeremykendall-password-validator)[elnur/blowfish-password-encoder-bundle Blowfish (bcrypt) based password encoder for Symfony2 61129.6k](/packages/elnur-blowfish-password-encoder-bundle)[brain/nonces OOP package for WordPress to deal with nonces. 26227.1k1](/packages/brain-nonces)[ammardev/laravel-wp-hash-driver Supports Wordpress passwords hashing and checking in Laravel's Hash facade. 169.3k](/packages/ammardev-laravel-wp-hash-driver)[defuse/php-passgen PHP Random Password Generator Library 4017.7k](/packages/defuse-php-passgen)[paragonie/passwdqc Password/passphrase strength checking and enforcement 3815.1k1](/packages/paragonie-passwdqc) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)