WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

wp_password_needs_rehash()

wp_password_needs_rehash( string $hash, string|int $user_id = '' ): bool

In this article

Back to top

Checks whether a password hash needs to be rehashed.

Description

Passwords are hashed with bcrypt using the default cost. A password hashed in a prior version of WordPress may still be hashed with phpass and will need to be rehashed. If the default cost or algorithm is changed in PHP or WordPress then a password hashed in a previous version will need to be rehashed.

Note that, just like wp_check_password() , this function may be used to check a value that is not a user password. A plugin may use this function to check a password of a different type, and there may not always be a user ID associated with the password.

Parameters

$hashstringrequired
Hash of a password to check.
$user_idstring|intoptional
ID of a user associated with the password.

Default:''

Return

bool Whether the hash needs to be rehashed.

Source

function wp_password_needs_rehash( $hash, $user_id = '' ) {	global $wp_hasher;	if ( ! empty( $wp_hasher ) ) {	return false;	}	/** This filter is documented in wp-includes/pluggable.php */	$algorithm = apply_filters( 'wp_hash_password_algorithm', PASSWORD_BCRYPT );	/** This filter is documented in wp-includes/pluggable.php */	$options = apply_filters( 'wp_hash_password_options', array(), $algorithm );	$prefixed = str_starts_with( $hash, '$wp' );	if ( ( PASSWORD_BCRYPT === $algorithm ) && ! $prefixed ) {	// If bcrypt is in use and the hash is not prefixed then it needs to be rehashed.	$needs_rehash = true;	} else {	// Otherwise check the hash minus its prefix if necessary.	$hash_to_check = $prefixed ? substr( $hash, 3 ) : $hash;	$needs_rehash = password_needs_rehash( $hash_to_check, $algorithm, $options );	}	/** * Filters whether the password hash needs to be rehashed. * * @since 6.8.0 * * @param bool $needs_rehash Whether the password hash needs to be rehashed. * @param string $hash The password hash. * @param string|int $user_id Optional. ID of a user associated with the password. */	return apply_filters( 'password_needs_rehash', $needs_rehash, $hash, $user_id ); }

View all references View on Trac View on GitHub

Hooks

apply_filters( ‘password_needs_rehash’, bool $needs_rehash, string $hash, string|int $user_id )

Filters whether the password hash needs to be rehashed.

apply_filters( ‘wp_hash_password_algorithm’, string $algorithm )

Filters the hashing algorithm to use in the password_hash() and password_needs_rehash() functions.

apply_filters( ‘wp_hash_password_options’, array $options, string $algorithm )

Filters the options passed to the password_hash() and password_needs_rehash() functions.

UsesDescription
apply_filters()wp-includes/plugin.php

Calls the callback functions that have been added to a filter hook.

Used byDescription
wp_authenticate_email_password()wp-includes/user.php

Authenticates a user using the email and password.

wp_authenticate_username_password()wp-includes/user.php

Authenticates a user, confirming the username and password are valid.

Changelog

VersionDescription
6.8.0Introduced.

User Contributed Notes

You must log in before being able to contribute a note or feedback.