WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

wp_generate_password()

wp_generate_password( int $length = 12, bool $special_chars = true, bool $extra_special_chars = false ): string

In this article

Back to top

Generates a random password drawn from the defined set of characters.

Description

Uses wp_rand() to create passwords with far less predictability than similar native PHP functions like rand() or mt_rand().

Parameters

$lengthintoptional
The length of password to generate.

Default:12

$special_charsbooloptional
Whether to include standard special characters.

Default:true

$extra_special_charsbooloptional
Whether to include other special characters.
Used when generating secret keys and salts.

Default:false

Return

string The random password.

More Information

This function executes the random_password filter after generating the password.

Normal characters: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

Special characters: !@#$%^&*()

Extra special characters: -_ []{}<>~`+=,.;:/?|

Source

		$password_to_hash = base64_encode( hash_hmac( 'sha384', trim( $password ), 'wp-sha384', true ) );

		// Add a prefix to facilitate distinguishing vanilla bcrypt hashes.
		return '$wp' . password_hash( $password_to_hash, $algorithm, $options );
	}
endif;

if ( ! function_exists( 'wp_check_password' ) ) :
	/**
	 * Checks a plaintext password against a hashed password.
	 *
	 * Note that this function may be used to check a value that is not a user password.
	 * A plugin may use this function to check a password of a different type, and there
	 * may not always be a user ID associated with the password.
	 *
	 * For integration with other applications, this function can be overwritten to
	 * instead use the other package password hashing algorithm.
	 *
	 * @since 2.5.0
	 * @since 6.8.0 Passwords in WordPress are now hashed with bcrypt by default. A
	 *              password that wasn't hashed with bcrypt will be checked with phpass.
	 *
	 * @global PasswordHash $wp_hasher phpass object. Used as a fallback for verifying
	 *                                 passwords that were hashed with phpass.
	 *
	 * @param string     $password Plaintext password.
	 * @param string     $hash     Hash of the password to check against.

View all references View on Trac View on GitHub

Changelog

VersionDescription
2.5.0Introduced.

User Contributed Notes

  4. Skip to note 9 content
    Ivijan-Stefan Stipic
    You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note

    You can use the wp_generate_password() function to create a unique hash that can be added as a parameter to URLs. This is useful in scenarios such as cache busting (forcing the browser to re-fetch the page instead of using a cached version) or generating unique referral links.

    Here’s an example of how to implement this:

    $url = home_url( '/some-location' ); // Get some URL of your WordPress site
$url = add_query_arg( array(
    '_some_param' => wp_generate_password( 32, false, false ) // Generate a unique hash
), $url );

wp_safe_redirect( $url ); // Safely redirect to the new URL

    You can replace home_url() with any other URL you want to use as the base.

You must log in before being able to contribute a note or feedback.