开发者 | ayeshrajans |
---|---|
更新时间 | 2024年6月11日 00:52 |
PHP版本: | 7.0 及以上 |
WordPress版本: | 6.5 |
版权: | GPLv2 or later |
版权网址: | 版权信息 |
password_hash()
and its accompanying functions. By default, PHP uses bcrypt to hash the passwords. If available, this plugin will use modern Argon2 algorithm. The transition will be transparent.
CSPRNG
)password_hash()
functions without compromising any of the applications' security.
This plugin is designed to be as minimal and fast as possible, and can be considered a must-use for EVERY WordPress application given the minimal footprint of this plugin, and considering the importance of using a secure hashing algorithm for passwords.
/wp-content/plugins/password-hash
directory, or install the plugin through the WordPress plugins screen directly.Nope! This plugin is smart enough to identify an old password hash, capable to seamlessly validate it using the old algorithm, and update the hash with the new version automatically. Your users wouldn't notice a thing.
Password hashing is a one-way operation, and it's near impossible to extract the original password from the hash. This means we cannot undo the effect of this plugin. Your existing users will need to reset their passwords. However, your password hashes will remain safe. This plugin is does one specific thing and does it well. There should be no significant impact on using this plugin.
The easiest way would be to check your database from PHPMyAdmin or any other software in its line. Check if the password
hash field in your users table has the format $2y$10...
. Those who have not updated their hashes will have a different
format. However, if the plugin is unable to override the password hashing algorithm from WordPress core, you will see a
notification in your dashboard. If you do not see anything, you are golden.
Argon2I
and Argon2ID
hashing algorithms?To keep the plugin size minimal, this plugin does not offer a UI configuration page. You can set the password hashing
algorithm with a configuration value set in wp-config.php
file.
Open your wp-config.php
file at the root of your WordPress site, and find the line that says That's all, stop editing! Happy publishing
.
Above this line, you can configure the hashing algorithm you want this plugin to use. Note that a wrong configuration value
means your users will not be able to log in until you fix this configuration option. It's not recommended that you set
this configuration value unless you know what you are doing.
define( 'WP_PASSWORD_HASH_ALGO', PASSWORD_ARGON2ID );
You can use the following values depending on your PHP version:
PASSWORD_ARGON2I
PASSWORD_ARGON2ID
(recommended)Alrighty folks, read carefully: This plugin can listen to a configuration option you specify and pass it along to the hashing
process. Please make sure you are absolutely sure about the values you set here. If you set a value too easy to crack,
you will open up a security vulnerability in your site. If you set a value too high, your server will take too much resources.
This plugin does not make any effort to validate the configuration you set. If you do not configure a value, plugin will
use the default value your PHP version comes with.
If you would still like to configure these options, similar to the way you set the hashing algorithm, open the wp-config.php
file for your WordPress site (at root of your WordPress installation), and right below the line that you configure hashing
algorithm (see FAQ above), set your configuration values as well. Here is an example (not necessarily a recommendation):
define( 'WP_PASSWORD_HASH_OPTIONS', ['memory_cost' => 2<<16, 'time_cost' => \PASSWORD_ARGON2_DEFAULT_TIME_COST, 'threads' => \PASSWORD_ARGON2_DEFAULT_THREADS]] );
The values you set here will be different based on the algorithm you set. You must set the WP_PASSWORD_HASH_ALGO
configuration in order for this to be effective.
See https://www.php.net/manual/en/password.constants.php for more examples and information.
Existing password hashes will be updated the next time the user logs in. Existing hashes will be checked using the existing algorithm regardless of this configuration.
Pier to pier networking.
wp-config.php
to configure password hashing options.