• Stars
    star
    611
  • Rank 73,401 (Top 2 %)
  • Language
    PHP
  • License
    MIT License
  • Created almost 9 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

WordPress plugin to implement secure bcrypt hashed passwords

wp-password-bcrypt

MIT License Packagist Packagist Downloads Build Status Follow Roots

Drop-in bcrypt password hashing for WordPress
Built with ❀️

Supporting

wp-password-bcrypt is an open source project and completely free to use.

However, the amount of effort needed to maintain and develop new features and products within the Roots ecosystem is not sustainable without proper financial backing. If you have the capability, please consider donating using the links below:

Sponsor on GitHub Donate via Patreon Donate via PayPal

Overview

wp-password-bcrypt is a WordPress plugin to replace WP's outdated and insecure MD5-based password hashing with the modern and secure bcrypt.

This plugin requires PHP >= 5.5.0 which introduced the built-in password_hash and password_verify functions.

See Improving WordPress Password Security for more background on this plugin and the password hashing issue.

Requirements

Installation

This plugin is a Composer library so it can be installed in a few ways:

Composer Autoloaded

composer require roots/wp-password-bcrypt

wp-password-bcrypt.php file will be automatically autoloaded by Composer and it won't appear in your plugins.

Manually as a must-use plugin

If you don't use Composer, you can manually copy wp-password-bcrypt.php into your mu-plugins folder.

We do not recommend using this as a normal (non-mu) plugin. It makes it too easy to disable or remove the plugin.

The Problem

WordPress still uses an MD5 based password hashing scheme. They are effectively making 25% of websites more insecure because they refuse to bump their minimum PHP requirements. By continuing to allow EOL PHP versions back to 5.2, they can't use newer functions like password_hash.

This is a known problem which WordPress has ignored for over 4 years now. Not only does WordPress set the insecure default of MD5, they don't do any of the following:

  • document this issue
  • provide instructions on how to fix it and make it more secure
  • notify users on newer PHP versions that they could be more secure

What's wrong with MD5? Really simply: it's too cheap and fast to generate cryptographically secure hashes.

The Solution

WordPress did at least one good thing: they made wp_check_password and wp_hash_password pluggable functions. This means we can define these functions in a plugin and "override" the default ones.

This plugin plugs in 3 functions:

  • wp_check_password
  • wp_hash_password
  • wp_set_password

wp_hash_password

This function is the simplest. This plugin simply calls password_hash instead of WP's default password hasher. The wp_hash_password_options filter is available to set the options that password_hash can accept.

wp_check_password

At its core, this function just calls password_verify instead of the default. However, it also checks if a user's password was previously hashed with the old MD5-based hasher and re-hashes it with bcrypt. This means you can still install this plugin on an existing site and everything will work seamlessly.

The check_password filter is available just like the default WP function.

wp_set_password

This function is included here verbatim but with the addition of returning the hash. The default WP function does not return anything which means you end up hashing it twice for no reason.

FAQ

What happens to existing passwords when I install the plugin?

Nothing at first. An existing password is only re-hashed with bcrypt when they log in. If a user never logs in, their password will remain hashed with MD5 in your database forever.

Why doesn't this plugin re-hash all existing passwords in the database?

Right now it's beyond the scope of the plugin. We want to keep it simple and straightforward. This is probably best left up to the individual developer or maybe a separate plugin in the future. See #6 for more details.

What happens if I remove/deactivate the plugin?

Magically, everything still works. See this comment for more details.

Any existing bcrypt hashed passwords will remain that way. Any new users or users resetting a password will get a new MD5 hashed password.

Why aren't you using the password_compat library so this works back to PHP 5.3.7?

The password_compact library is great if you really need it. But the Roots team advocates using supported versions of PHP which of now (March 2016) is 5.5 and above. Part of security is using a version of PHP that still gets security patches so we won't actively do something to support old unsupported versions of PHP.

Why doesn't this plugin show up in the admin?

If you're using Composer, then the wp-password-bcrypt.php file is automatically autoloaded. It's not treated as a true WordPress plugin since the package type is not set to wordpress-muplugin so it won't show up in the plugin list.

What's wrong with using this as a plugin instead of a must-use plugin?

As explained above, you don't want to disable this plugin once you've enabled it. Installing this in plugins (as a "normal" plugin) instead of in mu-plugins (as a must-use plugin) makes it possible for an admin user to accidentally disable it.

How is this different than other plugins which already exist?

There are a few plugins that exist which enable bcrypt. This plugin is different because we bypass the PasswordHash class and the phpass library that WordPress core uses. This plugin uses PHP's built-in password_hash and password_verify functions directly to only support PHP 5.5+.

I already use Two-factor authentication and/or prevent brute-force login attempts. Does this plugin still help?

Better hashing functions like bcrypt serve a different purpose than Two-factor authentication, brute-force attempt protection, or anything which acts at the log in stage. Strong hashing functions are important if an attacker is able to get access to your database. They will make it much harder/practically impossible to determine the plain-text passwords from the hashes. Whereas with MD5, this is trivial. Tools/plugins to protect logging in are still important and should be used together with this plugin.

Further Reading

Contributors

This plugin is based on a Gist by @Einkoro.

It has been modified and packaged by the Roots team. Jan Pingel (@Einkoro) has granted his permission for us to redistribute his original BSD-licensed code to an MIT license.

Contributing

Contributions are welcome from everyone. We have contributing guidelines to help you get started.

Community

Keep track of development and community news.

More Repositories

1

sage

WordPress starter theme with Laravel Blade components and templates, Tailwind CSS, and a modern development workflow
PHP
12,681
star
2

bedrock

WordPress boilerplate with Composer, easier configuration, and an improved folder structure
PHP
6,117
star
3

trellis

WordPress LEMP stack with PHP 8.2, Composer, WP-CLI and more
Jinja
2,483
star
4

soil

WordPress plugin which contains a collection of modules to apply theme-agnostic front-end modifications
PHP
1,022
star
5

acorn

Laravel components for WordPress plugins and themes
PHP
772
star
6

roots-example-project.com

Example Roots stack project (Trellis, Bedrock, Sage)
Jinja
459
star
7

wp-stage-switcher

WordPress plugin that allows you to switch between different environments from the admin bar
PHP
370
star
8

bud

High-performance build system that supports SWC, esbuild, and Babel
TypeScript
332
star
9

sage-woocommerce

WooCommerce integration for Sage 9 themes
PHP
213
star
10

bedrock-capistrano

Capistrano configs/integration for Bedrock
Ruby
176
star
11

wordpress

Automatically updated WordPress Composer package
170
star
12

docs

πŸ“ Documentation for Roots projects
168
star
13

trellis-cli

A CLI to manage Trellis projects
Go
165
star
14

wp-h5bp-htaccess

WordPress plugin that adds HTML5 Boilerplate's .htaccess
PHP
153
star
15

roots-sass

Deprecated in favor of Sage
132
star
16

clover

WordPress plugin boilerplate
JavaScript
82
star
17

capistrano-grunt

Capistrano extension for Grunt tasks
Ruby
67
star
18

roots-rewrites

Unsupported: Clean URL rewrites for WordPress assets
PHP
62
star
19

multisite-url-fixer

Fixes WordPress issues with home and site URL on multisite when using Bedrock
PHP
57
star
20

wp-config

Bedrock's failsafe wp-config
PHP
52
star
21

sage-translations

Community translations for the Sage WordPress starter theme
Shell
51
star
22

wordpress-nginx

Chef cookbook to create Nginx sites for WordPress applications
Ruby
48
star
23

roots-wrapper-toolbar

WordPress plugin that displays the base and main templates selected by the Roots wrapper in the WordPress toolbar
PHP
48
star
24

palette-webpack-plugin

Generate a JSON file containing your color palette from existing Sass maps and/or Tailwind.
JavaScript
46
star
25

roots-cli

*Pre-alpha* Start a new Roots project with one command
Go
41
star
26

grunt-wp-assets

Unsupported: WordPress assets revisioning
JavaScript
40
star
27

bedrock-autoloader

Bedrock Autoloader enables standard plugins to be required just like must-use plugins
PHP
38
star
28

wordpress-packager

Helper to generate WordPress Composer packages
PHP
37
star
29

acorn-prettify

Acorn Prettify contains a collection of modules to apply theme-agnostic front-end modifications to your Acorn-powered WordPress sites.
PHP
37
star
30

issue-closer-action

GitHub action to automatically close issues/PRs that don't match a regexp
JavaScript
34
star
31

sage-installer

Sage 9 installer
PHP
30
star
32

setup-trellis-cli

πŸ‘· Sets up Trellis CLI for GitHub Action workflows
JavaScript
29
star
33

bedrock-docker

https://roots.io/bedrock/
Dockerfile
29
star
34

sage-cli

Perform tasks with the Sage theme
TypeScript
21
star
35

acorn-example-package

A template for creating your own Acorn packages
PHP
19
star
36

wp-cli-theme-activation

WP-CLI command for theme activation and setting options
PHP
19
star
37

grunt-wp-version

Unsupported: This project has been replaced with https://github.com/roots/grunt-wp-assets
JavaScript
18
star
38

wp-cookbook

Chef cookbook for WordPress sites
Ruby
17
star
39

wordpress-full

Automatically updated WordPress composer package (full version, with wp-content and themes)
17
star
40

wp-blade-check

Checks and displays an admin notice if your uncompiled Blade templates are publicly accessible
PHP
16
star
41

guidelines

Coding and contributing guidelines for Roots projects
16
star
42

wordpress-no-content

Automatically updated WordPress composer package (version without wp-content)
14
star
43

js-dom-router

JavaScript DOM Router
TypeScript
13
star
44

acorn-mail

Simple WordPress SMTP using Acorn.
PHP
13
star
45

bedrock-disallow-indexing

Disallow indexing of your site on non-production environments.
PHP
12
star
46

sage-lib

Library files for Sage 9
PHP
12
star
47

acorn-fse-helper

Bootstrap FSE support in Acorn-based WordPress themes.
PHP
12
star
48

gutenberg-examples

8
star
49

.github

Default community health files for GitHub projects
TypeScript
7
star
50

vsce-blade-syntax

Roots specific syntax highlighting for blade template files
5
star
51

bud-generators

Standard generator library for @roots/bud.
HTML
5
star
52

discourse-topic-github-release-action

Post published GitHub releases from a repository to a Discourse instance.
JavaScript
4
star
53

dockerfiles

Dockerfile
4
star
54

trellis-deploy-action

GitHub Action for deploying Trellis sites
4
star
55

ansible-role-mailpit

Ansible Role - Mailpit email testing for developers
Jinja
3
star
56

homebrew-tap

Ruby
3
star
57

support

PHP
1
star
58

wordpress-generator-legacy

Legacy generator for the roots/wordpress Composer package. See https://github.com/roots/wordpress-packager for the current version.
PHP
1
star