[wp-hackers] Should password hashing portability be configurable?

Harry Metcalfe harry at dxw.com
Wed Nov 7 14:18:35 UTC 2012

I've been investigating switching the sites we host to bcrypt, rather 
than MD5, which is the default. That MD5 is the default is regrettable 
but understandable given WordPress's need to remain portable. I 
understand that if the site was moved to a server without bcrypt 
support, those accounts would no longer be accessible. However, if that 
is not a consideration, it would surely be better for people to use 
bcrypt than MD5.

I was going to make change on our sites by switching the portable flags 
in wp_check_password and wp_hash_password to false, after moving those 
functions into a plugin. This makes new passwords bcrypt and maintains 
backwards compatibility for passwords hashed using MD5. However, it 
misses the hashes which are created for password-protected posts, which 
happens in a function that is not pluggable.

I've therefore created a global $wp_hasher instance (without 
portability) in a plugin, which I think should get called before 
WordPress has a chance to make it.


 1. Is that right? Is there a scenario where WordPress will make a
    wp_hasher before my mu plugin gets loaded, thereby preventing
    someone from logging in?
 2. Is it worth adding a WP_UNPORTABLE_PASSWORDS define so that people
    who want to make the switch can do so without having to fiddle with


More information about the wp-hackers mailing list