WordPress Password Encryption & Decryption Algorithm

WordPress is a most popular and familiar open source Content Management System(CMS). It uses the PHP password hashing framework to generate hashed strings using several available algorithms. WordPress doesn’t store user passwords as plain text, instead it will save the password as hash string (encrypted password). This make you to keep secure, even if your database is hacked, the attacker won’t know your original password.

WordPress will also adds a bit of salt to make the string much longer and more complex. Then, it applies a cryptographic algorithm to the final string to create a one-way hash. A specific plain text string will always generate the same hash. There is no way, however to convert a given hash back to its plain text equivalent. This is an one-way hashing technique that you can make the plain text to hash (encrypted text) but you can’t reverse it back by decrypting.

WordPress Pluggable Functions

WordPress stores its cryptographic salts (strings used to lengthen plain text strings before hashing) in the global wp-config.php file. These salts are unique for every installation and, if ever compromised, can be readily re-generated and replaced.

As usual WordPress given an pluggable functions to play around the password hashing technique. wp_hash_password() and wp_check_password are the pluggable functions lets you to filters on their output to allow for similar overriding of their functionality.

Thank You !!


SIVA SANKAR, Working as a Software Engineer, Blogging is my hobby. I completed my Bachelors of Engineering (Computer Science Engineering) in Chennai, India. and my Master of Engineering (Embedded System Technologies) in Tamilnadu, India.

4 thoughts on “WordPress Password Encryption & Decryption Algorithm

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.