WordPress 6.8 has implemented safer password hashing
Password security is just one of the ways we protect our clients’ WordPress sites and their users’ data
Security is crucial for dxw clients in government and the third sector and I’ve written before on the importance of strong passwords. But this month the WordPress core team took a big step forward in improving password security for all WordPress users by shipping a feature that dxw clients have had for 12 years now.
When a website stores your password, the password is hashed first. Hashing scrambles all of the characters in your password so that if anyone obtains illicit access to the database the original password cannot easily be read.
But how hard would it be to recover a hashed password? By default, WordPress has always used the md5 algorithm to hash passwords, and this is a relatively easy hashing algorithm to decode. Between thousands and millions times easier to crack than more modern hashing algorithms. WordPress used MD5 because it was widely compatible with a large number of hosting environments, but over time, hosting providers have expanded their capabilities.
For this reason, dxw clients have had the benefit of using bcrypt on our hosted sites as standard, since 2013. As our founder, Harry Metcalfe, said in his original blog post on the bcrypt roll-out:
bcrypt is much harder to attack, because it’s hundreds of times slower for an attacker to guess passwords. In the event that a site we host was attacked and the attackers got hold of the database, bcrypt makes it much harder for them to do anything bad with it.
As of WordPress core 6.8, bcrypt is now the default hashing algorithm in WordPress. And given that WordPres websites make up 40% of the web, that’s a very welcome improvement in online security.
Password security is just one of the ways we protect our clients’ WordPress sites and their users’ data. If you’d like to talk to us about secure WordPress hosting, do get in touch.