Question 1

Does MD5 still work as a WordPress password in 2026?

Accepted Answer

Yes — WordPress's wp_check_password() function detects 32-character hex strings as legacy MD5 hashes and validates the typed password against the stored MD5. On a successful login it automatically rehashes the password to the current default (phpass for WP 2.5 – 6.7, bcrypt for WP 6.8+) and updates wp_users.user_pass. This back-compatibility has existed since WordPress 2.5 (2008) and remains in WP 6.x and 7.x. It's specifically useful for the 'I locked myself out, let me reset via the database' scenario: paste the MD5 of your new password into user_pass, log in, and WordPress upgrades the hash to the modern format on the next request. The MD5 only exists in the database between the time you paste it and the time you log in.

Question 2

What format does WordPress 6.8 use?

Accepted Answer

WordPress 6.8 (released April 2025) introduced bcrypt as the new default password hashing algorithm. The stored format is `$wp$2y$10$<22-char-salt><31-char-checksum>` — that's a bcrypt hash with the `$wp$` envelope prefix added to prevent collisions with non-WordPress bcrypt hashes elsewhere on the same server. The `2y` identifier inside is the standard bcrypt variant; the `10` is the cost factor. WordPress chose bcrypt with cost 10 because it's well-supported across PHP versions and provides ~100ms hashing time per login on typical hosting. Existing users on WordPress 6.8+ keep their phpass hashes until they next change their password or log in successfully — phpass continues to be accepted indefinitely for back-compat.

Question 3

What's the difference between phpass and bcrypt for WordPress?

Accepted Answer

Phpass (the Portable PHP password hashing framework) is what WordPress used from 2.5 through 6.7 — it runs 8192 iterations of MD5 with a salt, producing the `$P$B` format. Bcrypt (added in WP 6.8) is fundamentally stronger: it's based on the Blowfish cipher's expensive key setup rather than MD5, requires substantially more CPU per attempt, and resists GPU attacks far better. A single GPU can compute ~10 million phpass hashes per second but only ~30,000 bcrypt hashes per second at cost 10 — that's a ~330× security improvement. For new WordPress installs, bcrypt is the right default. For existing installs, the upgrade happens opportunistically on the next successful login per user.

Question 4

Which format should I paste into the database?

Accepted Answer

Any of the three will work. If you want maximum compatibility (the database might be restored to an older WordPress version), use phpass — it's accepted everywhere since 2.5. If you're on WP 6.8+ and want to match what WordPress would have written, use bcrypt ($wp$2y$). If you just want the simplest possible value and don't mind that it gets auto-upgraded on first login, use MD5. There's no security difference between the three at the point of database insert — they all let the same plaintext password log in. The bcrypt version stays bcrypt on next login (best long-term storage). The phpass version stays phpass on WP 6.7 and below, or auto-upgrades to bcrypt on WP 6.8+. The MD5 always auto-upgrades to whatever the current WP version uses.

Question 5

Where exactly do I paste the hash?

Accepted Answer

In your WordPress database, find the wp_users table (or your custom prefix if you changed it from wp_ during install). Each row is one user. Locate the row for the user whose password you want to reset — match by user_login (the username) or user_email. The password is stored in the user_pass column. Replace the existing value with the generated hash. In phpMyAdmin: click the row's Edit pencil icon, paste into user_pass, change the dropdown next to the field from 'Function' to '(no function)', click Go. In Adminer: similar edit-row workflow. From the command line: `UPDATE wp_users SET user_pass='$P$B...' WHERE user_login='admin';`. Make sure not to wrap the hash in extra characters — WordPress reads exactly what's in user_pass.

Question 6

Why is my new password not working after the database update?

Accepted Answer

Three common causes. (1) You pasted the hash with leading or trailing whitespace — WordPress reads it literally including any spaces. (2) You hashed the wrong password. The hash you paste must be the hash of the exact password (including capitalization, special characters, and any spaces) that you want to type at login. (3) You're on a multisite install or there's a caching plugin holding an old session. Try logging out completely, clearing browser cookies for the WordPress domain, then logging in fresh. If you're using a session-caching plugin like Redis Object Cache or WP Super Cache, the user object may be cached — flush the cache via WP-CLI (`wp cache flush`) or the plugin's admin panel. If none of those, double-check the database row was actually updated (run a SELECT to confirm).

Question 7

Is this safer than the password reset email flow?

Accepted Answer

It depends on your threat model. The email reset flow is generally fine but requires (a) functional email delivery, (b) access to the inbox, (c) WordPress being able to reach the SMTP server. The database edit approach bypasses all three and works when your site is broken (white screen of death, plugin conflicts, locked admin email) or when you've lost access to the email address on file. Security-wise, anyone with database write access already has full control of the WordPress install — they don't need to crack the password to read your content. The database edit method is appropriate for legitimate admins recovering access; it's not relevant to attackers because they wouldn't need to use it.

Question 8

Does this tool log my password anywhere?

Accepted Answer

No. The hashing happens entirely in your browser using bcryptjs (for the bcrypt format), a pure-JavaScript phpass implementation, and crypto-js MD5. Nothing is uploaded, no XHR or fetch request is made when you type. Open DevTools → Network and watch the request log stay empty while you generate hashes. The page itself was delivered over HTTPS but no outbound calls fire during hashing. The source code is open and inspectable via View Source.

WP Version	Default format	Stored in user_pass	Notes
2.5 – 6.7	$P$B...	phpass — 34 chars	8192 MD5 iterations, salted. Still in 90%+ of WordPress DBs in 2026.
6.8+ (Apr 2025)	$wp$2y$10$...	bcrypt — 62 chars	Bcrypt cost 10 with $wp$ envelope. Auto-applied on first login or password change.
All versions	32 hex chars	Plain MD5 — legacy	Accepted on login. Auto-rehashed to current default on next successful authentication.

WordPress Password Hash Generator

WordPress Password Format by Version

Why WordPress Still Accepts MD5

Three Ways to Apply the Hash

1. phpMyAdmin

2. SQL command line

3. WP-CLI (recommended if available)

Security Considerations

Frequently Asked Questions