How secure is the WordPress password’s algorithm?

Update password's algorithm to protect your WordPress site

When WordPress is installed, a system administrator user is created, whose credentials are saved in the wp-users table of the WordPress database.

If you check into wp-users table, using mysql command line or phpmyadmin, you will see that the plain text password entered for the administrator user has been replaced by a sequence, starting with a 4 character pattern ($P$B), of numbers, letters and random characters.

Saving the user’s password in the database

At the time of user’s registration, the password is combined with a random sequence of 64 characters called “salt” to then be processed by a hashing cryptographic procedure and finally saved in wp-users table along with user’s name and other additional data.

Password verification at login

During login procedure, password entered by the user is combined with the salt stored in the database, then processed by a further hashing procedure and the result is compared with the hash stored in the database.
If the sequences match perfectly, access to system is granted, otherwise it is denied.

Hash type

The hash function is a cryptographic function capable of mapping a random string (character sequence) into a new string of predefined length.

One of the most important peculiarities of this function, is the irreversibility, i.e. the inability to trace the initial string from the final string, unlike the encryption that allows you to trace the initial text through the use of cryptographic keys (public and private).

To produce hash strings, it is necessary to use cryptographic algorithms.
WordPress system uses, since the first versions, the MD5 algorithm (Message Digest 5) invented by Prof. Ronald Rivest of MIT in 1991.

However, today the MD5 algorithm is no longer considered safe, since in 2004 Chinese researchers managed to obtain a “collision” (when different strings produce an identical hash) making the algorithm no longer totally safe.

To strengthen the vulnerabilities of the MD5 algorithm, WordPress developers from version 2.5  (March 2008) onwards, included a password management framework (Portable PHP Password Hashing Framework, developed by Openwall) that uses MD5 algorithm, combined however with a 64 characters salt and a greater number of iterations or rounds (8) during hashing process.

How to further improve password’s security

Today, among the most secure algorithms, there are two algorithms: bcrypt (derived from Blowfish, used by default in Unix-like BSD systems), and Argon2 considered more secure than bcrypt.

In WordPress plugin’s repository, there are a few plugins that allow you to implement more secure algorithms such as bcrypt (Plugin tag: bcrypt)

The only plugin listed to have been tested with the latest version (5.2.3 at the time of writing) is the Password Evolved plugin (by developer Carl Alexander).

Further readings

Read from my Blog “How to create hack-proof passwords

(To open the post, please click on the image)

Share on facebook
Share on twitter
Share on linkedin
Share on email
Roberto Jobet

Roberto Jobet

I am an information security expert specializing in WordPress security. I offer professional security services to protect the confidentiality, integrity and availability of WordPress websites.

All posts

Other posts that might interest you!

Leave a Reply

Your email address will not be published. Required fields are marked *