wp_check_password( string $password, string $hash, string|int $user_id = '' )

Checks the plaintext password against the encrypted Password.

Contents

Description Description

Maintains compatibility between old version and the new cookie authentication protocol using PHPass library. The $hash parameter is the encrypted password and the function compares the plain text password when encrypted similarly against the already encrypted password to see if they match.

For integration with other applications, this function can be overwritten to instead use the other package password checking algorithm.

Parameters Parameters

$password

(string) (Required) Plaintext user's password

$hash

(string) (Required) Hash of the user's password to check against.

$user_id

(string|int) (Optional) User ID.

Default value: ''

Top ↑

Return Return

(bool) False, if the $password does not match the hashed password

Top ↑

Source Source

File: wp-includes/pluggable.php 

function wp_check_password($password, $hash, $user_id = '') {
	global $wp_hasher;

	// If the hash is still md5...
	if ( strlen($hash) <= 32 ) {
		$check = hash_equals( $hash, md5( $password ) );
		if ( $check && $user_id ) {
			// Rehash using new hash.
			wp_set_password($password, $user_id);
			$hash = wp_hash_password($password);
		}

		/**
		 * Filters whether the plaintext password matches the encrypted password.
		 *
		 * @since 2.5.0
		 *
		 * @param bool       $check    Whether the passwords match.
		 * @param string     $password The plaintext password.
		 * @param string     $hash     The hashed password.
		 * @param string|int $user_id  User ID. Can be empty.
		 */
		return apply_filters( 'check_password', $check, $password, $hash, $user_id );
	}

	// If the stored hash is longer than an MD5, presume the
	// new style phpass portable hash.
	if ( empty($wp_hasher) ) {
		require_once( ABSPATH . WPINC . '/class-phpass.php');
		// By default, use the portable hash from phpass
		$wp_hasher = new PasswordHash(8, true);
	}

	$check = $wp_hasher->CheckPassword($password, $hash);

	/** This filter is documented in wp-includes/pluggable.php */
	return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}

Expand full source code Collapse full source code View on Trac

Top ↑

Changelog Changelog

Changelog
Version Description
2.5.0 Introduced.

Top ↑

Top ↑

Uses Uses

Uses
Uses Description
wp-includes/compat.php: hash_equals()

Timing attack safe string comparison
wp-includes/pluggable.php: wp_set_password()

Updates the user’s password with a new encrypted one.
wp-includes/pluggable.php: wp_hash_password()

Create a hash (encrypt) of a plain text password.
wp-includes/pluggable.php: check_password

Filters whether the plaintext password matches the encrypted password.
wp-includes/plugin.php: apply_filters()

Call the functions added to a filter hook.

Top ↑

User Contributed Notes User Contributed Notes

You must log in before being able to contribute a note or feedback.