Passwords serve as the first line of defense against unauthorized access to your website. As one of the most popular content management systems (CMS) in the world, WordPress takes the security of user passwords seriously.
In this article, we will delve into the inner workings of password storage in WordPress, exploring the mechanisms implemented to ensure the protection of user credentials.
Table of Contents
Hashing and Salting
When a user creates an account on a WordPress site, their password is not stored in plain text. Instead, WordPress utilizes a process known as hashing to convert the password into an irreversible string of characters. Hashing algorithms, such as MD5, SHA-1, and bcrypt, are employed to perform this conversion.
What is Hashing?
Hashing is a process of converting data into a fixed-length string of characters, known as a hash value or hash code. The hashing algorithm takes the input (in this case, the user’s password) and performs complex mathematical calculations to generate the hash.
The key characteristics of a hashing algorithm are:
- Deterministic: For the same input, the hashing algorithm will always produce the same hash value. This property allows verification of password correctness during login.
- One-way: Hashing is a one-way function, meaning it is computationally infeasible to reverse-engineer the original input from the hash value. This ensures that the original password remains unknown even if the hash is intercepted.
- Fixed-length output: Regardless of the length of the input, a hashing algorithm produces a fixed-length hash value. This uniformity allows storage of hash values in a consistent manner.
- Unique output: Even a small change in the input results in a significantly different hash value. This property ensures that even similar passwords produce distinct hash values, preventing attackers from identifying patterns.
Commonly used hashing algorithms include MD5, SHA-1, SHA-256, bcrypt, and Argon2. It’s worth noting that MD5 and SHA-1 are considered weak and vulnerable to attacks, so modern systems like WordPress have shifted to stronger algorithms like bcrypt and Argon2.
Types of Hashing Algorithms
MD5 (Message Digest Algorithm 5)
MD5 (Message Digest Algorithm 5) is a widely-used cryptographic hash function that takes an input (such as a message or data) and produces a 128-bit hash value. It was developed by Ronald Rivest in 1991 and has since become one of the most well-known hash functions.
However, it is important to note that MD5 is now considered to be weak and vulnerable to various attacks, and its usage for security-sensitive applications is strongly discouraged.
MD5 has known collision vulnerabilities, where two different inputs can produce the same hash value, making it unsuitable for password storage or cryptographic purposes. It is primarily used today for non-cryptographic purposes, such as checksums for data integrity verification or as a checksum in file systems.
SHA-1 (Secure Hash Algorithm 1)
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function developed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST) in 1995. It generates a 160-bit hash value from an input message or data.
SHA-1 was widely used for various security applications, including digital signatures and certificate authorities, as well as in protocols such as SSL and TLS. However, it has been found to be vulnerable to collision attacks, where different inputs can produce the same hash value.
Consequently, SHA-1 is considered to be weak and insecure for cryptographic purposes. As a result, organizations and security experts have transitioned to more secure hash functions, such as SHA-256 and SHA-3, which offer stronger resistance against attacks and are recommended for secure applications.
SHA-256 (Secure Hash Algorithm 256-bit)
SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function belonging to the SHA-2 (Secure Hash Algorithm 2) family. It is an evolution of the earlier SHA-1 algorithm and offers a higher level of security.
SHA-256 generates a 256-bit hash value, making it more resistant to collisions and cryptographic attacks compared to its predecessor. It operates by taking an input message and processing it through a series of mathematical operations to produce the fixed-length hash value.
SHA-256 is widely used in various security applications, including digital signatures, password storage, blockchain technology, and data integrity verification. Its robustness and widespread adoption make it a popular choice for ensuring data integrity and security in modern cryptographic systems.
Bcrypt
Bcrypt is a widely-used adaptive hashing algorithm known for its resistance to brute-force attacks. It incorporates a cost factor, which determines the computational time required to hash a password. By increasing the cost factor, WordPress can slow down the hashing process and enhance security.
Argon2
Introduced in PHP 7.2, Argon2 is a memory-hard hashing algorithm designed to deter both offline and online attacks. It utilizes a significant amount of memory, making it highly resistant to GPU-based attacks and requiring significant computational resources.
And what is salting?
Additionally, WordPress employs the concept of “salting” to enhance the security of passwords. In the context of hashing passwords, salting involves adding a random and unique value (called a salt) to each user’s password before it undergoes the hashing process. The salt is typically a long string of characters generated using a cryptographically secure random number generator. This salt value is then stored alongside the hashed password in the database.
The primary purpose of salting is to add complexity and uniqueness to each password, even if multiple users have the same password. By appending a salt to the password before hashing, the resulting hash value becomes distinct for each user. This makes it significantly more difficult for attackers to use precomputed tables or rainbow tables to crack passwords since they would need to generate separate tables for every possible salt value.
Salting provides an additional layer of defense against attacks like brute-force and dictionary attacks. It makes it computationally expensive and time-consuming for attackers to crack passwords, as they need to go through the process of hashing each possible password attempt with the corresponding salt value. Salting is considered a best practice in password security and is widely implemented in modern systems to safeguard user credentials.
How Salting works in WordPress?
WordPress in specific, stores the SALT KEYS or sometimes also referred as SECURITY KEYS in the file wp-config.php. Below an example of how they are declared within such file:
define('AUTH_KEY', 'Q*()Ip-/3[*uvP$/<sH<wzXsDhx+8w%U|(-e.d/Q,d3aE0?[W{dwb?g2+l-*xcd<');
define('SECURE_AUTH_KEY', '9pRVGKS;DQ|NL.DWh3,Hw{_@Tb7!5 p*sc1kByDSkJ@ar&y`Y zYAv?|rHiVtP_');
define('LOGGED_IN_KEY', 'T%lcJ}t(Z}B+OWFD?W1m U/.mWQO/WiVjTH9t`5?[5gjB]KM!=jE=M)=Q`xGl-wL');
define('NONCE_KEY', 'ywgw*4hXZoRpUiM6`GkR7EGZUdCc~Z;b+h{W`LT5ci@&T}1*2)&q]vzc;wuI? m)');
define('AUTH_SALT', ']-JH)g~ZBU]o!c|)>r%tk )?,Zxok>77 xmRBL-Gtk?X9VeN3CM]-?Ep[*;rC!hh');
define('SECURE_AUTH_SALT', 'is_#wZlB7.e!22dO$~CdkxLKk*0m551{|>D>T:><>EK#-*R|5[ms O<(Kg;|/_Cy');
define('LOGGED_IN_SALT', 'V;1+6j?LYpLDdLMYIAfIt]L<c^l0&},!|T(u>0 a*kp2LL`_5:0&SeY;[~-4=9IM');
define('NONCE_SALT', 'x5U16%{TQ+bP=+#]lv-|2jfJ4mS~o 5JUbM8%QNGtRQMmi!lC?OJU4j;)zEy&`rc');You can review WordPress Documentation regarding Security Keys for more information.
WordPress has an API that is used whenever there is a new installation of WordPress, this API generates random SALT KEYS each time is called. The URL is the following:
https://api.wordpress.org/secret-key/1.1/salt/This API is also used by WP-CLI when you use the command wp config shuffle-salts, it calls that URL and request new values for each SALT and then replaces the existing values within the wp-config.php file.
$ wp config shuffle-salts
Success: Shuffled the salt keys.Password Verification
When a user attempts to log in, WordPress retrieves the stored hashed password from the database and applies the same hashing algorithm and salt to the entered password. It then compares the newly generated hash with the stored hash. If they match, the user is granted access; otherwise, access is denied.
Additional Security Measures
WordPress employs several other security measures to safeguard passwords and user accounts. These include:
Encryption:
- Communication between the browser and the server is encrypted using SSL/TLS protocols, ensuring that passwords transmitted during login are secure.
Two-Factor Authentication (2FA)
- WordPress offers various plugins that enable 2FA, adding an extra layer of security by requiring users to provide a second form of authentication, such as a unique code or biometric data.
- You can review our guide to help you implement 2FA: Using the Google Authenticator App for WordPress 2FA: A Step-by-Step Guide
Password Complexity Requirements
- WordPress allows administrators to enforce strong password policies, requiring users to create passwords with a mix of uppercase and lowercase letters, numbers, and special characters.
- You can review our guide on increasing the complexity of your User’s Passwords: Enhancing Your Strategy with Password Policy Manager
Conclusion
WordPress takes password security seriously, employing robust hashing algorithms, salting techniques, and additional security measures to protect user credentials. By utilizing these mechanisms and continuously staying up to date with evolving security practices, WordPress strives to ensure the safety of its users’ passwords and maintain the integrity of their websites. As a website owner, it is crucial to understand these measures and adopt best practices to safeguard your users’ accounts.
