Ayesh Karunaratne: Full-time traveler, freelance software architect and security researcher
Sun, 2018-10-21 12:25
WordPress is a beast, powering over 30% of the entire web. This is a massive achievement by any means, but I have ranted about WordPress choosing its end users over developers. Many people know me as a Drupal developer, but I'm a WordPress core contributor as well, and it's shameless-self-plug-o'-time.
WordPress is using a mix of MD5 and PHPass PHP library to hash its user passwords. MD5 is terribly insecure these days, and PHPass is not quite good either. PHP 5.5 (which was released back in 2013) introduced a new secure password hashing mechanism that is supposed to keep up to date with latest security improvements. WordPress has a compatibility practice that they try to make WordPress support oldest PHP version your memory serves. As of WordPress 4.9, even PHP 5.2 is supported, which was released in 2006 (that's 12 years, or practically forever in web development years), and it is huge barrier to improve WordPress code base.
For those who are using PHP 5.5 and later versions, I have created a simple plugin that swaps this insecure password hashing mechanism with PHP's
password_* class of password hashing. This is future-proof, secure, and supports bcrypt & Argon2 as password hashing backends. Argon2 support is in the works and will be released with version 1.6. I already have an accompanying Drupal module too.
Simple and Straight-forward
This is probably one of the smallest plugins you'd ever find. There is no administration back-end. Just install the plugin, and it will get to work! Behind the scenes, this plugin registers a few functions that WordPress expects a guest password hashing mechanism to register.
If there are other modules doing the same, or if the plugin could not register itself as the password hashing mechanism (and only then), you will see a notice in your admin dashboard. In any other case, the plugin is silent and does its job well.
There exists a similar plugin, WP-Password-Bcrypt, that does something similar. However, that plugin does not automatically upgrade the password hashing algorithm to newer ones available.
- BCrypt: Widely used password hashing algorithm. Supported with Password Hash Plugin all versions + PHP 5.5 and later
- Argon2I: GPU-resistant hashing algorithm uses data-depending memory access. Supported with Password Hash Plugin version 1.6 + PHP 7.2
- Argon2ID: A combination of
Argon2D, and suitable for password hashing because its GPU-resistant nature and data-dependent memory access. Supported with Password Hash Plugin version 1.6 + PHP 7.3
Note that Argon2-provided
Argon2D is not supported because it's not suitable for password hashing.
Secure by default
This plugin will use the highest level of security available in the current environment. PHP 5.5 is the minimum requirement, but if you are running PHP 7.2 or 7.3, you will get even better algorithms!
Seamlessly upgrade existing users
Once you install this plugin, your users can still login. If the password is stored with an older hashing algorithm, the hash will be silently updated. This will not disrupt the user-login at all. That said, note that once you install the plugin, the password hashes will remain in their older hashing algorithm until the user logs in next time. You can force a mass password reset, but that's out of the scope of this plugin.
If you are using a Composer-based workflow in your WordPress development, you can easily install the plugin from the command below.
composer require ayesh/wordpress-password-hash
Pay it forward!
If you find the plugin helpful, please rate and leave a review. If you have friends using WordPress, may I suggest you that you share this post with them. Password hashing is not something we talk about every day, and this plugin hardly adds any load to your (or your friends) web sites but can save you a lot hassle if you site is hacked.