Understanding How Passwords are Stored in WordPress

by Jul 7, 2023Passwords, WordPress Security0 comments

Kinsta - Unlock 4 Months OFF Annual WordPress Plans

Passwords serve as the first line of defense against unauthorized access to your website. As one of the most popular content management systems (CMS) in the world, WordPress takes the security of user passwords seriously.

In this article, we will delve into the inner workings of password storage in WordPress, exploring the mechanisms implemented to ensure the protection of user credentials.

Table of Contents

Hashing and Salting

When a user creates an account on a WordPress site, their password is not stored in plain text. Instead, WordPress utilizes a process known as hashing to convert the password into an irreversible string of characters. Hashing algorithms, such as MD5, SHA-1, and bcrypt, are employed to perform this conversion.

What is Hashing?

Hashing is a process of converting data into a fixed-length string of characters, known as a hash value or hash code. The hashing algorithm takes the input (in this case, the user’s password) and performs complex mathematical calculations to generate the hash.

The key characteristics of a hashing algorithm are:

  1. Deterministic: For the same input, the hashing algorithm will always produce the same hash value. This property allows verification of password correctness during login.
  2. One-way: Hashing is a one-way function, meaning it is computationally infeasible to reverse-engineer the original input from the hash value. This ensures that the original password remains unknown even if the hash is intercepted.
  3. Fixed-length output: Regardless of the length of the input, a hashing algorithm produces a fixed-length hash value. This uniformity allows storage of hash values in a consistent manner.
  4. Unique output: Even a small change in the input results in a significantly different hash value. This property ensures that even similar passwords produce distinct hash values, preventing attackers from identifying patterns.

Commonly used hashing algorithms include MD5, SHA-1, SHA-256, bcrypt, and Argon2. It’s worth noting that MD5 and SHA-1 are considered weak and vulnerable to attacks, so modern systems like WordPress have shifted to stronger algorithms like bcrypt and Argon2.

Types of Hashing Algorithms

MD5 (Message Digest Algorithm 5)

MD5 (Message Digest Algorithm 5) is a widely-used cryptographic hash function that takes an input (such as a message or data) and produces a 128-bit hash value. It was developed by Ronald Rivest in 1991 and has since become one of the most well-known hash functions.

However, it is important to note that MD5 is now considered to be weak and vulnerable to various attacks, and its usage for security-sensitive applications is strongly discouraged.

MD5 has known collision vulnerabilities, where two different inputs can produce the same hash value, making it unsuitable for password storage or cryptographic purposes. It is primarily used today for non-cryptographic purposes, such as checksums for data integrity verification or as a checksum in file systems.

SHA-1 (Secure Hash Algorithm 1)

SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function developed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST) in 1995. It generates a 160-bit hash value from an input message or data.

SHA-1 was widely used for various security applications, including digital signatures and certificate authorities, as well as in protocols such as SSL and TLS. However, it has been found to be vulnerable to collision attacks, where different inputs can produce the same hash value.

Consequently, SHA-1 is considered to be weak and insecure for cryptographic purposes. As a result, organizations and security experts have transitioned to more secure hash functions, such as SHA-256 and SHA-3, which offer stronger resistance against attacks and are recommended for secure applications.

SHA-256 (Secure Hash Algorithm 256-bit)

SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function belonging to the SHA-2 (Secure Hash Algorithm 2) family. It is an evolution of the earlier SHA-1 algorithm and offers a higher level of security.

SHA-256 generates a 256-bit hash value, making it more resistant to collisions and cryptographic attacks compared to its predecessor. It operates by taking an input message and processing it through a series of mathematical operations to produce the fixed-length hash value.

SHA-256 is widely used in various security applications, including digital signatures, password storage, blockchain technology, and data integrity verification. Its robustness and widespread adoption make it a popular choice for ensuring data integrity and security in modern cryptographic systems.


Bcrypt is a widely-used adaptive hashing algorithm known for its resistance to brute-force attacks. It incorporates a cost factor, which determines the computational time required to hash a password. By increasing the cost factor, WordPress can slow down the hashing process and enhance security.


Introduced in PHP 7.2, Argon2 is a memory-hard hashing algorithm designed to deter both offline and online attacks. It utilizes a significant amount of memory, making it highly resistant to GPU-based attacks and requiring significant computational resources.

And what is salting?

Additionally, WordPress employs the concept of “salting” to enhance the security of passwords. In the context of hashing passwords, salting involves adding a random and unique value (called a salt) to each user’s password before it undergoes the hashing process. The salt is typically a long string of characters generated using a cryptographically secure random number generator. This salt value is then stored alongside the hashed password in the database.

The primary purpose of salting is to add complexity and uniqueness to each password, even if multiple users have the same password. By appending a salt to the password before hashing, the resulting hash value becomes distinct for each user. This makes it significantly more difficult for attackers to use precomputed tables or rainbow tables to crack passwords since they would need to generate separate tables for every possible salt value.

Salting provides an additional layer of defense against attacks like brute-force and dictionary attacks. It makes it computationally expensive and time-consuming for attackers to crack passwords, as they need to go through the process of hashing each possible password attempt with the corresponding salt value. Salting is considered a best practice in password security and is widely implemented in modern systems to safeguard user credentials.

How Salting works in WordPress?

WordPress in specific, stores the SALT KEYS or sometimes also referred as SECURITY KEYS in the file wp-config.php. Below an example of how they are declared within such file:

define('AUTH_KEY',         'Q*()Ip-/3[*uvP$/<sH<wzXsDhx+8w%U|(-e.d/Q,d3aE0?[W{dwb?g2+l-*xcd<');
define('SECURE_AUTH_KEY',  '9pRVGKS;DQ|NL.DWh3,Hw{_@Tb7!5 p*sc1kByDSkJ@ar&y`Y  zYAv?|rHiVtP_');
define('LOGGED_IN_KEY',    'T%lcJ}t(Z}B+OWFD?W1m U/.mWQO/WiVjTH9t`5?[5gjB]KM!=jE=M)=Q`xGl-wL');
define('NONCE_KEY',        'ywgw*4hXZoRpUiM6`GkR7EGZUdCc~Z;b+h{W`LT5ci@&T}1*2)&q]vzc;wuI? m)');
define('AUTH_SALT',        ']-JH)g~ZBU]o!c|)>r%tk )?,Zxok>77 xmRBL-Gtk?X9VeN3CM]-?Ep[*;rC!hh');
define('SECURE_AUTH_SALT', 'is_#wZlB7.e!22dO$~CdkxLKk*0m551{|>D>T:><>EK#-*R|5[ms O<(Kg;|/_Cy');
define('LOGGED_IN_SALT',   'V;1+6j?LYpLDdLMYIAfIt]L<c^l0&},!|T(u>0 a*kp2LL`_5:0&SeY;[~-4=9IM');
define('NONCE_SALT',       'x5U16%{TQ+bP=+#]lv-|2jfJ4mS~o 5JUbM8%QNGtRQMmi!lC?OJU4j;)zEy&`rc');

You can review WordPress Documentation regarding Security Keys for more information.

WordPress has an API that is used whenever there is a new installation of WordPress, this API generates random SALT KEYS each time is called. The URL is the following:


This API is also used by WP-CLI when you use the command wp config shuffle-salts, it calls that URL and request new values for each SALT and then replaces the existing values within the wp-config.php file.

$ wp config shuffle-salts
Success: Shuffled the salt keys.

Password Verification

When a user attempts to log in, WordPress retrieves the stored hashed password from the database and applies the same hashing algorithm and salt to the entered password. It then compares the newly generated hash with the stored hash. If they match, the user is granted access; otherwise, access is denied.

Additional Security Measures

WordPress employs several other security measures to safeguard passwords and user accounts. These include:


  • Communication between the browser and the server is encrypted using SSL/TLS protocols, ensuring that passwords transmitted during login are secure.

Two-Factor Authentication (2FA)

Password Complexity Requirements

  • WordPress allows administrators to enforce strong password policies, requiring users to create passwords with a mix of uppercase and lowercase letters, numbers, and special characters.
  • You can review our guide on increasing the complexity of your User’s Passwords: Enhancing Your Strategy with Password Policy Manager


WordPress takes password security seriously, employing robust hashing algorithms, salting techniques, and additional security measures to protect user credentials. By utilizing these mechanisms and continuously staying up to date with evolving security practices, WordPress strives to ensure the safety of its users’ passwords and maintain the integrity of their websites. As a website owner, it is crucial to understand these measures and adopt best practices to safeguard your users’ accounts.

Kinsta - Unlock 4 Months OFF Annual WordPress Plans
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
WPScan Cheat Sheet

WPScan Cheat Sheet

WPScan is an invaluable tool for safeguarding your WordPress website against potential vulnerabilities. As cyber threats continue to evolve, performing regular scans with WPScan can help identify security weaknesses and protect your website from potential attacks.

In this blog post, we’ll provide you with a comprehensive WPScan cheat sheet that covers installation, basic scanning techniques, password brute-forcing, vulnerability scanning, plugin and theme analysis, output and reporting options, and more. Let’s dive in and unlock the power of WPScan to fortify your WordPress fortress.

read more
4 Free Tools To Scan WordPress For Security Vulnerabilities

4 Free Tools To Scan WordPress For Security Vulnerabilities

As the popularity of WordPress continues to grow, so does the need for robust security measures to protect your website from potential vulnerabilities. Fortunately, there are free tools available that can scan your WordPress site and identify security weaknesses.

In this blog post, we will explore four powerful tools that can help you fortify your WordPress fortress. Each tool is accompanied by an explanation, link, and screenshots, providing you with a comprehensive overview of their features and capabilities.

read more
What is the best WordPress security?

What is the best WordPress security?

In today’s digital landscape, protecting your WordPress website from potential threats is crucial. With cyberattacks on the rise, implementing robust security measures is paramount.

This blog post delves into the world of WordPress security, exploring the best practices and tools to fortify your online presence. Discover how you can keep your website secure and gain peace of mind in an increasingly interconnected world.

read more
WordPress Password Manager SSO (Single Sign-On): Simplify Access, Enhance Security

WordPress Password Manager SSO (Single Sign-On): Simplify Access, Enhance Security

In today’s digital landscape, managing multiple usernames and passwords across various platforms can be a daunting task. That’s where Single Sign-On (SSO) comes in.

In this comprehensive blog article, we will delve into the world of WordPress Password Manager SSO, exploring its history, benefits, top plugins to implement SSO in a WordPress site, common implementation errors, and the importance of SSO in building a robust WordPress authentication strategy.

read more
Preventing WordPress Malware: A Guide for Web Development Agencies

Preventing WordPress Malware: A Guide for Web Development Agencies

WordPress powers a significant portion of the internet, making it an attractive target for hackers and malware infections. As a web development agency, it is crucial to prioritize website security and take proactive measures to prevent malware and hackers from compromising WordPress websites.

This comprehensive guide aims to provide web developers, web administrators, and marketing professionals with valuable insights and best security practices to safeguard WordPress websites against malware attacks.

read more
Buy me a Beer
Ad - Web Hosting from SiteGround - Crafted for easy site management. Click to learn more.
Sucuri - Complete end-to-end security