wp_check_password( string $password, string $hash, string|int $user_id = '' ): bool

Checks the plaintext password against the encrypted Password.

Description
Parameters
Return
More Information
Source
Hooks
Related
- Uses
- Used By
Changelog
User Contributed Notes

Description

Maintains compatibility between old version and the new cookie authentication protocol using PHPass library. The $hash parameter is the encrypted password and the function compares the plain text password when encrypted similarly against the already encrypted password to see if they match.

For integration with other applications, this function can be overwritten to instead use the other package password checking algorithm.

Top ↑

Parameters

$password string Required: Plaintext user's password.
$hash string Required: Hash of the user's password to check against.
$user_id string|int Optional: User ID.

Default: ''

Top ↑

Return

bool False, if the $password does not match the hashed password.

Top ↑

More Information

This function can be replaced via plugins. If plugins do not redefine these functions, then this will be used instead.

Top ↑

Source

File: wp-includes/pluggable.php. View all references

function wp_check_password( $password, $hash, $user_id = '' ) {
	global $wp_hasher;

	// If the hash is still md5...
	if ( strlen( $hash ) <= 32 ) {
		$check = hash_equals( $hash, md5( $password ) );
		if ( $check && $user_id ) {
			// Rehash using new hash.
			wp_set_password( $password, $user_id );
			$hash = wp_hash_password( $password );
		}

		/**
		 * Filters whether the plaintext password matches the encrypted password.
		 *
		 * @since 2.5.0
		 *
		 * @param bool       $check    Whether the passwords match.
		 * @param string     $password The plaintext password.
		 * @param string     $hash     The hashed password.
		 * @param string|int $user_id  User ID. Can be empty.
		 */
		return apply_filters( 'check_password', $check, $password, $hash, $user_id );
	}

	// If the stored hash is longer than an MD5,
	// presume the new style phpass portable hash.
	if ( empty( $wp_hasher ) ) {
		require_once ABSPATH . WPINC . '/class-phpass.php';
		// By default, use the portable hash from phpass.
		$wp_hasher = new PasswordHash( 8, true );
	}

	$check = $wp_hasher->CheckPassword( $password, $hash );

	/** This filter is documented in wp-includes/pluggable.php */
	return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}

View on Trac View on GitHub

Top ↑

Hooks

apply_filters( 'check_password', bool $check, string $password, string $hash, string|int $user_id )

Filters whether the plaintext password matches the encrypted password.

Top ↑

Uses

Uses
Uses	Description
wp_set_password() wp-includes/pluggable.php	Updates the user’s password with a new encrypted one.
wp_hash_password() wp-includes/pluggable.php	Creates a hash (encrypt) of a plain text password.
apply_filters() wp-includes/plugin.php	Calls the callback functions that have been added to a filter hook.

Show 1 more use Hide more uses

Top ↑

Used By

Used By
Used By	Description
wp_authenticate_application_password() wp-includes/user.php	Authenticates the user using an application password.
WP_Recovery_Mode_Key_Service::validate_recovery_mode_key() wp-includes/class-wp-recovery-mode-key-service.php	Verifies if the recovery mode key is correct.
wp_authenticate_email_password() wp-includes/user.php	Authenticates a user using the email and password.
wp_authenticate_username_password() wp-includes/user.php	Authenticates a user, confirming the username and password are valid.