Generate and verify WordPress-style password hashes (phpass)
⚠️ For Testing Only: This is a client-side implementation for reference. For production, use WordPress's wp_hash_password() function or update passwords through WordPress admin.
WordPress uses the PHPass portable password hashing framework.
Note: This tool is for development and testing purposes only. Always use WordPress's built-in functions in production.
1. Enter Password: Type the plain-text password you want to hash using WordPress phpass algorithm.
2. Generate Hash: Click to create WordPress-compatible hash. Uses Portable PHP password hashing with 8 MD5 rounds and random salt.
3. Hash Format: Output starts with $P$ (identifier), includes iteration count, salt, and 34-character hash.
4. Access Database: Use phpMyAdmin, MySQL CLI, or wp-cli to access wp_users table.
5. Update user_pass: Replace existing hash with new one. Use WHERE clause to target specific user ID.
6. Clear Sessions: User must re-login. Consider clearing wp_usermeta session tokens for security.
Verification: Tool can verify if plain password matches existing hash before database update.
WARNING: Use only for emergency access recovery. Prefer WordPress admin password reset or wp-cli. Direct DB updates bypass logging and notifications.
WordPress uses the Portable PHP password hashing framework (phpass) with 8 rounds of MD5-based hashing and per-password salts. While not as strong as bcrypt/Argon2, it's designed for broad PHP compatibility and is reasonably secure.
Yes, but only as a last resort (locked out, no email access). Hash your password with this tool, then update the wp_users table user_pass field. Always use WordPress admin or password reset when possible - direct DB updates bypass validation and logging.
The hash includes the algorithm identifier ($P$), iteration count, salt, and hash - about 34 characters total. This format is self-describing, allowing WordPress to upgrade hashing algorithms over time while supporting legacy hashes.
The hashing itself is secure, but for production use, always change passwords through WordPress admin or wp-cli. This ensures proper user notifications, logging, and session invalidation. Use this tool only for emergency access recovery or development/testing.