Enhance WordPress security by replacing outdated MD5 password hashing with modern Argon2i encryption
WordPress still uses MD5-based password hashing (via PHPass), an algorithm from 2001 that's considered weak by modern security standards. While adequate for its time, MD5 is vulnerable to:
⚠️ Brute force attacks (fast to compute)⚠️ Rainbow table attacks⚠️ GPU-accelerated cracking
This must-use plugin replaces WordPress's password hashing system with:
- ✅ Argon2i - Winner of Password Hashing Competition (2015)
- ✅ SHA-512 HMAC - Additional layer of protection
- ✅ Automatic migration - Rehashes old passwords on login
- ✅ Zero configuration - Drop in and forget
- ✅ Backward compatible - Works with existing WordPress user system
- Argon2i algorithm - Memory-hard hashing designed to resist GPU attacks
- SHA-512 HMAC - Adds salt-based message authentication
- Native PHP functions - No external dependencies, uses PHP's
password_hash()
- Automatically detects old MD5 hashes
- Rehashes passwords when users login
- No manual migration needed
- Maintains backward compatibility during transition
- Overrides core WordPress functions:
wp_hash_password(),wp_check_password(),wp_set_password() - Works as must-use plugin (loads before regular plugins)
- Supports Application Passwords (WordPress 5.6+)
- No configuration required
- Minimal overhead compared to MD5
- Argon2i parameters can be customized via filter
- Efficient rehashing on authentication
composer require jazzman/wp-password-argonThe package installs automatically to wp-content/mu-plugins/wp-password-argon/ via Composer Installers.
- Download the latest release
- Upload to
wp-content/mu-plugins/wp-password-argon/ - That's it! No activation needed (must-use plugins auto-load)
User enters password
↓
SHA-512 HMAC with WordPress salt
↓
Argon2i hashing with memory cost
↓
Stored in databaseUser login attempt
↓
Check if password uses Argon2i
↓
├─ Yes → Verify with password_verify()
└─ No (old MD5) → Verify with PHPass
→ Rehash with Argon2i
→ Update databaseThe plugin works out-of-the-box with secure defaults. To customize Argon2i parameters:
add_filter('wp_hash_password_options', function() {
return [
'memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST,
'time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST,
'threads' => PASSWORD_ARGON2_DEFAULT_THREADS,
];
});| Aspect | MD5 (WordPress default) | Argon2i (This plugin) |
|---|---|---|
| Algorithm Age | 1992 (33 years old) | 2015 (10 years old, current best practice) |
| Cracking Speed | Very fast | Slow (memory-hard) |
| GPU Resistance | ❌ Weak | ✅ Strong |
| Rainbow Tables | ❌ Vulnerable | ✅ Resistant |
| OWASP Recommended | ❌ No | ✅ Yes |
- PHP: 7.4+ or 8.1+ (PHP 8+ recommended)
- WordPress: 5.2+
- PHP Extensions:
sodium(usually bundled with PHP 7.2+)- No additional extensions needed
This package maintains high code quality standards:
# Static Analysis
composer phpstan # PHPStan max level
composer psalm # Psalm strict mode
# Code Style
composer cs-check # Check PSR-12 compliance
composer cs-fix # Auto-fix code style
# Baseline Management
composer update-baseline # Update analysis baselines- Static Analysis: PHPStan (max level), Psalm
- Code Style: PHP CS Fixer with custom rules (
jazzman/php-cs-fixer-rules) - Security Auditing: Roave Security Advisories
- Type Safety: WordPress stubs for IDE support
- Type:
wordpress-muplugin(auto-installs to mu-plugins) - License: MIT
- Optimizations: APCu autoloader, optimized autoloader, authoritative classmap
Q: Will this break my existing WordPress site?
A: No. The plugin is backward compatible. Old passwords work during the transition period and are automatically upgraded on user login.
Q: What happens if I remove the plugin?
A: Users with Argon2i passwords won't be able to login. Recommendation: Keep the plugin installed once deployed.
Q: Does this work with multisite?
A: Yes. Install as network-wide must-use plugin.
Q: Performance impact?
A: Minimal. Argon2i is slightly slower than MD5, but this is intentional (security vs. speed trade-off). Typical impact: <100ms per authentication.
Q: Can I migrate back to MD5?
A: Technically possible but strongly discouraged for security reasons. Once passwords are hashed with Argon2i, they should stay that way.
Real-world impact:
- WordPress powers 43% of the web
- Over 455 million websites use WordPress
- Default MD5 hashing leaves millions of sites vulnerable
- This plugin provides enterprise-grade security with zero effort
Recommended by:
- ✅ OWASP (Open Web Application Security Project)
- ✅ NIST (National Institute of Standards and Technology)
- ✅ PHP Security Best Practices
Part of the jazzman WordPress ecosystem:
jazzman/wp-performance- Performance & security optimizationsjazzman/wp-object-cache- PSR-16 object cachingjazzman/wp-nav-menu-cache- Navigation menu caching
MIT License - see LICENSE file for details.
Vasyl Sokolyk
Found a bug? Have a feature request? Open an issue on GitHub.
Security vulnerabilities: Please email [email protected] directly rather than opening a public issue.
⭐ If this plugin improved your WordPress security, please star the repo!