WordPress Password Hash Generator
Generate hashes for every WordPress version — bcrypt (6.8+), phpass (4.4–6.7), and MD5 (2.5–4.3). All processing runs in your browser.
Generate Hashes
Verify Hash
Works with all three hash formats — bcrypt ($2y$), phpass ($P$), and plain MD5 (32 hex chars).
WordPress Hash Format by Version
| Version range | Algorithm | Hash prefix / format | Security |
|---|---|---|---|
| 6.8 or newer | bcrypt (cost 10) | $2y$10$… | Strong |
| 4.4 – 6.7 | phpass / MD5 × 8 192 | $P$B… | Moderate |
| 2.5 – 4.3 | Plain MD5 | 32 hex chars | Weak — upgrade now |
About WordPress Password Hashing
WordPress 2.5 – 4.3 stored passwords as a plain, unsalted MD5 hex digest — a 32-character string. MD5 without a salt is trivially cracked with rainbow tables, so these hashes are considered insecure.
WordPress 4.4 – 6.7 upgraded to phpass: MD5 is applied 8 192 times with a random 8-character salt, and the result is encoded in a custom base-64 alphabet starting with $P$B. This resists rainbow-table attacks but remains slower hardware than bcrypt.
WordPress 6.8+ defaults to bcrypt (cost 10), the same adaptive algorithm used by modern frameworks. Bcrypt is specifically designed to be slow on GPUs, making brute-force attacks orders of magnitude harder than phpass.
WordPress is backward-compatible: a 6.8 site can still verify old phpass and MD5 hashes left in the database, upgrading them automatically on next login.
How to Use
- Enter a password and click Generate Hashes. All three format hashes appear instantly.
- Copy the correct hash for your WordPress version using the copy button on the right.
- Update the database: open phpMyAdmin (or any MySQL client), find your user in
wp_users, and paste the hash intouser_pass. - Verify an existing hash in the Verify section — paste any supported hash format and the plain password to check if they match.
FAQ
Which hash should I use?
Always use the bcrypt hash ($2y$) if your WordPress is 6.8 or newer. For older sites, use the phpass hash ($P$B). Never use the plain MD5 on a live site.
Why is bcrypt generation slower than the others?
Bcrypt is intentionally slow — cost 10 means 210 = 1 024 internal rounds. This is by design: it makes brute-force attacks expensive for attackers, even on modern hardware.
Why does the phpass hash look different each time?
A fresh 8-character random salt is generated on every click. The salt is embedded inside the hash itself, so WordPress can always extract it during verification.
Is the bcrypt hash PHP-compatible?
Yes. PHP's password_hash() outputs $2y$ while the JavaScript library outputs $2b$. This tool outputs $2y$ to match PHP exactly — both prefixes are interchangeable for verification.
Is my password safe here?
All computation runs entirely in your browser using JavaScript. Nothing is sent to a server, and the page has no tracking or analytics.