When a user login, The password are check by wp_authenticate in wp-includes/pluggable.php

function wp_authenticate($username, $password)

(This is a pluggable function:) So we can write our own function to change the default authenticate progress, and no one can got our true password from encoded string. I have changed all my customer’s authenticate function to protect their password)

This function will invoke the wp_check_password pluggable function, which will check the plaintext password against the encrypted password:

function wp_check_password($password, $hash, $user_id = '')


The password check progress are more complex than other CMSs such as Joomla. First we need got the salt from the hash.

Wordpress use the phpass(Portable PHP password hashing framework) to protect user’s password.

All the first 3 characters in the hash are the same, it’s “$P$”. For example this hash: “$P$BS/qZzXlXEFFi3bbLiNCkW4VE4tgIY0″.

The 4th character “B” is the count_log, it’s means will md5 “1 << 23″ times, it’s 8192 times, oh my god. “C” means “1<<24″ time, “D” means “1<<25″ times…

The salt is the 8 bits form the 5th character. In our example it’s “S/qZzXlX”.

Aflter md5 with salt+password so many times, then it will be encoded using another function…

But no matter how complex the hash will be calculated, a hacker can just copy these codes and doing a dictionary attack. So we need change the WordPress authenticate process to our own site, and it’s easy to change to a different process.