WordPress Hash Generator
Generate WordPress 6.8+ compatible password hashes using bcrypt with SHA-384 pre-hash [citation:2]. Perfect for manual database updates, user password resets, and WordPress security testing.
WordPress 6.8+ uses bcrypt with SHA-384 pre-hash for passwords
For wp_users table - uses bcrypt with special prefix
4 (fast)1031 (slow)
Higher cost = more secure but slower [citation:1]WordPress hash will appear here...WordPress 6.8+ Password Hashing: WordPress now uses bcrypt via wp_hash_password() with SHA-384 pre-hash for passwords longer than 72 bytes [citation:2][citation:7]. Hashes include the '$wp$' prefix. Application passwords use wp_fast_hash() with BLAKE2b and the '$generic$' prefix [citation:3].
Understanding WordPress Password Hashing
WordPress stores user passwords as one-way hashes rather than plain text. When a user logs in, WordPress hashes the entered password and compares it to the stored hash. This ensures that even if an attacker gains database access, they cannot directly read user passwords [citation:1].
WordPress 6.8+ Hashing Architecture [citation:7]
| Function | Algorithm | Prefix | Use Case |
|---|---|---|---|
wp_hash_password() | bcrypt + SHA-384 pre-hash | $wp$2y$ | User passwords [citation:2] |
wp_fast_hash() | BLAKE2b (Sodium) | $generic$ | App passwords, reset keys [citation:3] |
wp_hash() | HMAC-MD5 + salts | none | Nonces, cookies [citation:8] |
| Legacy (pre-6.8) | phpass (MD5-based) | $P$ | Old password hashes [citation:7] |
Why bcrypt with SHA-384 Pre-hash? [citation:2]
bcrypt has a 72-byte password length limit. WordPress solves this by:
- Pre-hashing the password with SHA-384 using HMAC and the key 'wp-sha384'
- Base64-encoding the result
- Hashing with bcrypt using the specified cost factor
- Adding the '$wp$' prefix to distinguish from standard bcrypt
This preserves entropy for long passwords while maintaining bcrypt security [citation:2].
Manual Password Reset via Database [citation:1]
How to manually update a WordPress password:
- Generate a hash using this tool (select "User Password" type)
- Access your database via phpMyAdmin or similar
- Navigate to the
wp_userstable - Find the target user and replace the
user_passvalue - Save changes - the user can now log in with the new password
Argon2 Support [citation:7]
WordPress 6.8+ can use Argon2ID on servers that support it. To enable:
add_filter( 'wp_hash_password_algorithm', fn() => PASSWORD_ARGON2ID );Check password_algos() first to verify Argon2 support [citation:7].
Key Features
- WordPress 6.8+ compatible
- bcrypt with SHA-384 pre-hash
- BLAKE2b fast hashes
- Manual DB update support
- Adjustable cost factor
WordPress Hash Specifications
| Password Algorithm | bcrypt + SHA-384 pre-hash [citation:2] |
|---|---|
| Password Prefix | $wp$2y$ [citation:7] |
| Fast Hash Algorithm | BLAKE2b [citation:3] |
| Fast Hash Prefix | $generic$ [citation:3] |
| Auth Hash | HMAC-MD5 + salts [citation:8] |
| Default Cost | 10 (adjustable 4-31) |
| Introduced | WordPress 6.8 [citation:7] |
WordPress Hash Functions Reference [citation:2][citation:3][citation:8]
wp_hash_password()
// WordPress 6.8+ bcrypt with SHA-384 pre-hash
$hash = wp_hash_password('user_password');
// Result: $wp$2y$10$...
// Check password
if (wp_check_password('user_password', $hash)) {
// Password matches
}wp_fast_hash() [citation:3]
// For app passwords, reset keys
$hash = wp_fast_hash($high_entropy_string);
// Result: $generic$...
// Verify
if (wp_verify_fast_hash($hash, $string)) {
// Valid
}wp_hash() [citation:8]
// For nonces, cookies
$hash = wp_hash($data, 'auth');
// Uses HMAC-MD5 with site saltsPHP Native (alternative)
// Using PHP's password_hash()
$hash = password_hash($password, PASSWORD_BCRYPT, [
'cost' => 10
]);
// Note: WordPress adds SHA-384 pre-hash
// and '$wp$' prefix automaticallyWordPress Hash Examples
| Type | Example Hash |
|---|---|
| User Password (bcrypt) | $wp$2y$10$N9qo8uLOickgx2ZMRZoMy.MrZ7R0L1nXvK8o7qY5q8vQ9wX8r7Y6S |
| App Password (BLAKE2b) | $generic$7zCQnVqXvYkLpRmNtRwMxBzDfGhJkLmNpQsRtVwX |
| Auth Hash (HMAC-MD5) | a1b2c3d4e5f67890abcdef1234567890 |
| Legacy phpass | $P$BABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789. |
Frequently Asked Questions
No, existing passwords remain valid. When a user logs in after the upgrade, WordPress automatically rehashes their password using bcrypt and updates the database. The old phpass hash is replaced seamlessly. Users don't need to reset passwords or take any action [citation:7].
Use WordPress's wp_check_password() function:
if (wp_check_password('plaintext', '$wp$2y$10$...')) Application passwords (for REST API, XML-RPC) use wp_fast_hash() with BLAKE2b, not bcrypt. They have the '$generic$' prefix. This provides cryptographic security while maintaining high speed since app passwords are high-entropy strings [citation:3].
Yes, WordPress 6.8+ supports Argon2ID via the wp_hash_password_algorithm filter. However, Argon2 requires libargon2 on the server and PHP compiled with Argon2 support. Check password_algos() first. Default is bcrypt for maximum compatibility [citation:7].
bcrypt has a 72-byte password length limit. The SHA-384 pre-hash (using HMAC with 'wp-sha384' key) preserves entropy for longer passwords while maintaining bcrypt security. The result is base64-encoded before bcrypt hashing. This ensures very long passwords don't lose security [citation:2].
All WordPress hash generation is performed client-side. Your passwords never leave your device.
WordPress 6.8+ Compatible: Uses bcrypt with SHA-384 pre-hash, BLAKE2b fast hashes, and proper prefixing [citation:2][citation:3][citation:7].
