When we talk about password security, we often refer to the strength of your password and whether it can be easily guessed by hackers. However, one aspect of password security that few people talk about is how the password is stored in the database. In WordPress each password is usually salted and passed through MD5 hashing before it is stored in the database. It seems fine and secure until you find out that the MD5 algorithm is known to suffer from extensive vulnerabilities. According to CMU Software Engineering Institute, MD5 is essentially “cryptographically broken and unsuitable for further use.”
So what can you do to improve your WordPress password security? The answer is using bycrpt algorithm, particularly with the wp-password-bcrypt plugin.
bcrypt is based on the Blowfish cipher and is an adaptive function. This means that over time the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.
Luckily, even if you are not technically competent, you can easily upgrade your WordPress system to replace MD5 hashing with the bcrypt algorithm.
1. Got to wp-password-bcrypt’s Github page and click the “Clone or download” button to download the ZIP file to your desktop.
2. Extract the zip file and open the extracted folder. All you need is the “wp-password-bcrypt.php” file.
3. With your FTP program (or cPanel) connect to your WordPress server and create a “mu-plugins” folder under the “wp-content” folder. This is also known as the “Must Use Plugins” folder, and all plugins placed in this folder are automatically activated. If the “mu-plugins” folder already exists, ignore this step.
4. Upload the “wp-password-bcrypt.php” file to this “mu-plugins” folder, and you are done.
What the “wp-password-bcrypt” plugin does is re-hash the password using bcrypt and store it in the database whenever a user logs in to the system. There is no configuration required, and everything simply works in the background. Do also note that if your site has a lot of inactive users who have not logged in for a long time, their passwords will still be using the MD5 hash.
Lastly, to uninstall the plugin, all you have to do is delete it from the “mu-plugins” folder. There are no negative consequences, and everything will continue to work as usual.
It is completely useless for users to do everything they can to protect themselves if the system is insecure in the first place. By switching to using bcrypt algorithm, you can quickly and easily improve your WordPress password security and prevent your user account from being easily crackable (assuming they are using a strong password as well).
Image credit: Linux password file