PHP Native password hash


Requires PHP 5.5 or later

This plugin swaps out WordPress core’s password hashing mechanism with PHP 5.5’s password_hash() and its accompanying functions. By default, PHP uses bcrypt to hash the passwords. If available, this plugin will use modern Argon2 algorithm. The transition will be transparent.

  • A password salt will be generated using a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)
  • Password hashes are safe from dictionary attacks with rainbow tables or any other precomputed hash lists, because a secure salt is generated for each password.
  • The password hashing is iterated multiple times to provide a good resistance against brute-force attacks.
  • Password checks are made in a way that it mitigates time-attacks.
  • You do not have to reset passwords of all users. Passwords already hashed in the database will be rehashed automatically and transparently the next time the user logs in.
  • PHP might come up with newer password hashing algorithms, and they will be automatically supported without having to reset all the passwords.

This plugin was made initially because one of our applications used WordPress for authentication, but we needed to use an external system
to verify the passwords directly from the database too. Since WordPress has its own password hashing algorithm, we decided to make this plugin to address that problem.
With this plugin, passwords generated by both WordPress and other custom applications now use the PHP’s default password_hash() functions without compromising any of the applications security.


  1. Upload the plugin files to the /wp-content/plugins/password-hash directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress.
  3. You are all set! There is nothing to configure. All existing users passwords will be rehashed on their next successful login. There is no configuration UI; it just works.


Why does this plugin require PHP 5.5?

Because the underline functionality is only available since PHP 5.5. There are other open source workarounds, but we
found the effort not worth it. The oldest PHP version officially supported by PHP maintainers is PHP 5.6 as of now, so
if you are using an older version, you are risking your site to potential bugs and security issues. Plugin is fully tested to
work with PHP versions 5.5, 5.6, 7.0, and 7.1.

Do I have to reset all existing passwords?

Nope! This plugin is smart enough to identify an old password hash, capable to seamlessly validate it using the old algorithm, and update the hash with the new version automatically. Your users wouldn’t notice a thing.

What happens if I uninstall this plugin?

Technically, password hashing is a one-way operation. This means we cannot undo the effect of this plugin. Your existing users will need to reset their passwords. However, your password hashes will remain safe.

How do I confirm the new hashing algorithm is in use?

The easiest way would be to check your database from PHPMyAdmin or any other software in its line. Check if the password
hash field in your users table has the format $2y$10.... Those who have not updated their hashes will have a different
format. However, if the plugin is unable to override the password hashing algorithm from WordPress core, you will see a
notification in your dashboard. If you do not see anything, you are golden.

PHP 7.2 comes with Argon2 support!

Yes, and that’s good news indeed. This plugin will expose an option for administrators to switch to the new Argon2 algorithm, and also make the transition automatic for all existing and new users.

How did pirates collaborate before computers?

Pier to pier networking.


Thanks very much!

Can't believe WP is still using MD5 by default o.O As soon as I learned about this, I got this plugin, and it does exactly what you want, using WordPress built in functions, so totally lightweight. Thanks dev!
Read all 4 reviews

Contributors & Developers

“PHP Native password hash” is open source software. The following people have contributed to this plugin.




  • Initial release.


  • Fixed a bug for PHP 5.5 users whose PHP core lacks the time-safe hash_equals function, resulting in a fatal error. This version introduces a polyfill to add that functionality for PHP 5.5 users. Users with newer PHP versions will use PHP-provided hash_equals() function.


  • This plugin now requires WordPress minimum version 3.9.2 the least, and uses the hash_equals() function polyfill provided by WordPress core.


  • Skipped 1.3 version because a WIP Argon2i support conflicted with the bug fix (#2). Argon2i support will be added in a future release.
  • Fixes an error with password validation when the PasswordHash class from WordPress core is not loaded. See


  • Fix a security issue with the password verification when updating from a password_hash()-compatible hashing algorithm to another. Thanks to Steve Thomas (Sc00bz on Github).