The WordPress kernel is secure, but you can upgrade from MD5 based password hashing to bcrypt to make passwords stored in the site database more secure. Although some people may say differently, the WordPress core is actually secure. It is not difficult to keep the WordPress website secure from the most common attacks by using the following content, using a unique administrator user name and powerful password, and keeping the core software up to date. plug-ins and topics from reputable authors, keep them up to date, and use excellent security plug-ins. The
After implementing some additional security measures, the site security will develop towards the highest direction of the safety clock shape. However, if the website requires users to log in, there is another website security issue to consider. This is encryption. On March 1st, 2016, roots, a WordPress development agent, announced the launch of the WP password bcrypt plug-in. The post promoting the listing of the plug-in was published by WP tavern, which is very important to the word press core development team managing the password cracking function. As a result, there was a small-scale twitter fire storm between the post author and the members of the WordPress core development team. The
@Swalkinshaw@retlehs@tw2113@themesurge@helenhousandi so yes, your post on March 1 is unfortunately warning and wrong- Andrew nacin (@nacin) the gist of the question on March 19, 2016 is that some members of WordPress communities such as roots must immediately delete the MD5 hash, otherwise they lack commitment to password security. However, the team that manages the wp_hash_password function still believes that the function produces safe results. The
How does WordPress password hashing work? All this raises questions about how word press encrypts passwords. The core word press wp_hash_password function uses the phpass password hash framework and eight MD5 based hashes. The MD5 hash itself is basically useless, but the password hash function of WordPress is not an ordinary MD5 hash. The wp_hash_password function uses the phpass framework to combine key stretching with the eight paths in MD5 to generate a really good hash algorithm. But this does not mean that it cannot be improved, nor can it be improved. The
If you use phpass, you can implement one of the three hash methods: bcrypt, DES, and MD5. The suggestion of phpass developers is to replace bcrypt with DES or MD5 based hash only when it is the most powerful of the three, so it is used, and bcrypt is not supported. However, by implementing MD5 based hashing, WordPress can maintain compatibility with legacy managed platforms. Phpass provides reliable encryption regardless of the hash method implemented. However, if bcrypt is implemented, computing the hash takes longer than implementing other methods. The choice of hash method will not affect the experience of website users. If someone tries to perform indifference substitution through the hash password database, the decryption time using bcrypt hash password is much longer than using MD5 hash. Used. The
Finally, the roots team recognized that the WordPress password cracking was more powerful than the original post suggested, but they believed that the cracking using bcrypt was more secure than the cracking function implemented by the WordPress core team. problem Why password cracking is important wordpr
This is the easiest way to start and run. If you do not use composer to manage word press installation (which most readers may not use), you can install the plug-in manually. The
Step 1: ensure that there is a required plug-in folder. The developer suggests installing plug-ins in the Mu plugins directory to prevent users from disabling them. If you have never used the required plug-ins before, you must create a directory. Simply use the FTP client to access the WP content directory and create a new directory named Mu plugins. For more instructions, refer to the word press documentation. Step 2: the plug-in file Plug-in in GitHub is not available in the WordPress plug-in directory. Instead, it is hosted by GitHub and ed for free. Navigate to the GitHub plug-in page and click zip. The plug-in is ed to the computer in ZIP format. Step 3: first install the plug-in and find the zip folder of the plug-in ed from the computer. Then extract the local file from your computer. Then use the FTP client WP password bcrypt. Copy the file named PHP to the Mu plugins directory of the web server. Note: unlike most manually installed plug-ins, I do not want to copy the entire plug-in folder to the server. WP password bcrypt You must copy only the PHP files and then directly to the Mu plugins directory. The plug-in will be activated automatically. Access the plugins installed by plugins> and click must use. You can see that the WP password bcrypt plug-in has been activated. The debate may be good. The conflict between roots and the core developers of WordPress has lit the spotlight on password cracking. Now that the dust has settled, I know two things. The word press core contains a really good hash function. Upgrading to bcrypt hashing is easy, and password hashing in WordPress goes a step further. What do you think? Is it worth upgrading to bcrypt decryption? Or use the wp_hash_password function? Please tell me your opinion on the following opinions. Label: password text imprinting security
