Force Strong Hashing

Description

Forces all user passwords generated by WordPress to be hashed using Bcrypt, the most secure and popular PHP hashing algorithm currently available.

The Long Version

The plugin gracefully replaces WordPress password hashing (MD5) with PHP 5.5+ built in hashing which is much stronger, so in the case your password hashes are exposed it would be much more difficult for hackers to brute force them.

In the future (PHP 7.2) we may have an option for Argon2 hashing, to eventually replace Bcrypt. But for now, Bcrypt has been stable and free of issues for many years, so security-wise it still makes sense.

Compatibility

This plugin has been designed for use on LEMP (Nginx) web servers with PHP 7.0 and MySQL 5.7 to achieve best performance. All of our plugins are meant for single site WordPress installations only; for both performance and security reasons, we highly recommend against using WordPress Multisite for the vast majority of projects.

Plugin Features

  • Settings Page: No
  • Premium Version Available: Yes (Security Guard)
  • Includes Media (Images, Icons, Etc): No
  • Includes CSS: No
  • Database Storage: Yes
    • Transients: No
    • Options: Yes
    • Creates New Tables: No
  • Database Queries: Backend Only (Options API)
  • Must-Use Support: Yes (Use With Autoloader)
  • Multisite Support: No
  • Uninstalls Data: Yes

WP Admin Notices

This plugin generates multiple Admin Notices in the WP Admin dashboard. The first is a notice that fires during plugin activation which recommends several related free plugins that we believe will enhance this plugin’s features; this notice will re-appear approximately once every 6 months as our code and recommendations evolve. The second is a notice that fires a few days after plugin activation which asks for a 5-star rating of this plugin on its WordPress.org profile page. This notice will re-appear approximately once every 9 months. These notices can be dismissed by clicking the (x) symbol in the upper right of the notice box. These notices may annoy or confuse certain users, but are appreciated by the majority of our userbase, who understand that these notices support our free contributions to the WordPress community while providing valuable (free) recommendations for optimizing their website.

If you feel that these notices are too annoying, than we encourage you to consider one or more of our upcoming premium plugins that combine several free plugin features into a single control panel, or even consider developing your own plugins for WordPress, if supporting free plugin authors is too frustrating for you. A final alternative would be to place the defined constant mentioned below inside of your wp-config.php file to manually hide this plugin’s nag notices:

define('DISABLE_NAG_NOTICES', true);

Note: This defined constant will only affect the notices mentioned above, and will not affect any other notices generated by this plugin or other plugins, such as one-time notices that communicate with admin-level users.

Code Inspiration

This plugin was partially inspired either in “code or concept” by the open-source software and discussions mentioned below:

Recommended Plugins

We invite you to check out a few other related free plugins that our team has also produced that you may find especially useful:

Premium Plugins

We invite you to check out a few premium plugins that our team has also produced that you may find especially useful:

Special Thanks

We thank the following groups for their generous contributions to the WordPress community which have particularly benefited us in developing our own free plugins and paid services:

Disclaimer

We released this plugin in response to our managed hosting clients asking for better access to their server, and our primary goal will remain supporting that purpose. Although we are 100% open to fielding requests from the WordPress community, we kindly ask that you keep the above mentioned goals in mind, thanks!

Installation

  1. Upload to /wp-content/plugins/force-strong-hashing-littlebizzy
  2. Activate via WP Admin > Plugins
  3. Test plugin is working by viewing new complex password hashes stored in your database

FAQ

Installation Instructions
  1. Upload to /wp-content/plugins/force-strong-hashing-littlebizzy
  2. Activate via WP Admin > Plugins
  3. Test plugin is working by viewing new complex password hashes stored in your database
How can I change this plugin’s settings?

There is no settings page for optimal performance and simplicity.

I have a suggestion, how can I let you know?

Please avoid leaving negative reviews in order to get a feature implemented. Instead, we kindly ask that you post your feedback on the wordpress.org support forums by tagging this plugin in your post. If needed, you may also contact our homepage.

Reviews

It just works

As far as I could check, the plugin indeed does what it was made for, so no complaints from me.

Read all 1 review

Contributors & Developers

“Force Strong Hashing” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Force Strong Hashing” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.5

  • added warning for Multisite installations
  • updated recommended plugins

1.0.4

  • tested with WP 4.9
  • added support for define('DISABLE_NAG_NOTICES', true);

1.0.3

  • optimized plugin code
  • updated recommended plugins
  • added rating request notice

1.0.2

  • updated recommended plugins

1.0.1

  • added recommended plugins notice

1.0.0

  • initial release