wpseek.com
A WordPress-centric search engine for devs and theme authors
wp_check_password › WordPress Function
Since2.5.0
Deprecatedn/a
› wp_check_password ( $password, $hash, $user_id = '' )
| Parameters: (3) |
|
| Returns: |
|
| Defined at: |
|
| Codex: | |
| Change Log: |
|
Checks a plaintext password against a hashed password.
Note that this function may be used to check a value that is not a user password. A plugin may use this function to check a password of a different type, and there may not always be a user ID associated with the password. For integration with other applications, this function can be overwritten to instead use the other package password hashing algorithm.Related Functions: wp_set_password, wp_hash_password, wp_get_password_hint, wp_generate_password, check_password_reset_key
Source
function wp_check_password(
#[\SensitiveParameter]
$password,
$hash,
$user_id = ''
) {
global $wp_hasher;
$check = false;
// If the hash is still md5 or otherwise truncated then invalidate it.
if ( strlen( $hash ) <= 32 ) {
/**
* Filters whether the plaintext password matches the hashed password.
*
* @since 2.5.0
* @since 6.8.0 Passwords are now hashed with bcrypt by default.
* Old passwords may still be hashed with phpass.
*
* @param bool $check Whether the passwords match.
* @param string $password The plaintext password.
* @param string $hash The hashed password.
* @param string|int $user_id Optional ID of a user associated with the password.
* Can be empty.
*/
return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}
if ( ! empty( $wp_hasher ) ) {
// Check the password using the overridden hasher.
$check = $wp_hasher->CheckPassword( $password, $hash );
} elseif ( strlen( $password ) > 4096 ) {
$check = false;
} elseif ( str_starts_with( $hash, '$wp' ) ) {
// Check the password using the current prefixed hash.
$password_to_verify = base64_encode( hash_hmac( 'sha384', $password, 'wp-sha384', true ) );
$check = password_verify( $password_to_verify, substr( $hash, 3 ) );
} elseif ( str_starts_with( $hash, '$P$' ) ) {
// Check the password using phpass.
require_once ABSPATH . WPINC . '/class-phpass.php';
$check = ( new PasswordHash( 8, true ) )->CheckPassword( $password, $hash );
} else {
// Check the password using compat support for any non-prefixed hash.
$check = password_verify( $password, $hash );
}
/** This filter is documented in wp-includes/pluggable.php */
return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}
endif;
if ( ! function_exists( 'wp_password_needs_rehash' ) ) :
/**
* Checks whether a password hash needs to be rehashed.
*
* Passwords are hashed with bcrypt using the default cost. A password hashed in a prior version
* of WordPress may still be hashed with phpass and will need to be rehashed. If the default cost
* or algorithm is changed in PHP or WordPress then a password hashed in a previous version will
* need to be rehashed.
*
* Note that, just like wp_check_password(), this function may be used to check a value that is
* not a user password. A plugin may use this function to check a password of a different type,
* and there may not always be a user ID associated with the password.
*
* @since 6.8.0
*
* @global PasswordHash $wp_hasher phpass object.
*
* @param string $hash Hash of a password to check.
* @param string|int $user_id Optional. ID of a user associated with the password.
* @return bool Whether the hash needs to be rehashed.
*/