Checks whether a password hash needs to be rehashed.
Description
Passwords are hashed with bcrypt using the default cost. A password hashed in a prior version of WordPress may still be hashed with phpass and will need to be rehashed. If the default cost or algorithm is changed in PHP or WordPress then a password hashed in a previous version will need to be rehashed.
Note that, just like wp_check_password() , this function may be used to check a value that is not a user password. A plugin may use this function to check a password of a different type, and there may not always be a user ID associated with the password.
Parameters
$hashstringrequired- Hash of a password to check.
$user_idstring|intoptional- ID of a user associated with the password.
Default:
''
Source
function wp_password_needs_rehash( $hash, $user_id = '' ) {
global $wp_hasher;
if ( ! empty( $wp_hasher ) ) {
return false;
}
/** This filter is documented in wp-includes/pluggable.php */
$algorithm = apply_filters( 'wp_hash_password_algorithm', PASSWORD_BCRYPT );
/** This filter is documented in wp-includes/pluggable.php */
$options = apply_filters( 'wp_hash_password_options', array(), $algorithm );
$prefixed = str_starts_with( $hash, '$wp' );
if ( ( PASSWORD_BCRYPT === $algorithm ) && ! $prefixed ) {
// If bcrypt is in use and the hash is not prefixed then it needs to be rehashed.
$needs_rehash = true;
} else {
// Otherwise check the hash minus its prefix if necessary.
$hash_to_check = $prefixed ? substr( $hash, 3 ) : $hash;
$needs_rehash = password_needs_rehash( $hash_to_check, $algorithm, $options );
}
/**
* Filters whether the password hash needs to be rehashed.
*
* @since 6.8.0
*
* @param bool $needs_rehash Whether the password hash needs to be rehashed.
* @param string $hash The password hash.
* @param string|int $user_id Optional. ID of a user associated with the password.
*/
return apply_filters( 'password_needs_rehash', $needs_rehash, $hash, $user_id );
}
Hooks
- apply_filters( ‘password_needs_rehash’,
bool $needs_rehash ,string $hash ,string|int $user_id ) Filters whether the password hash needs to be rehashed.
- apply_filters( ‘wp_hash_password_algorithm’,
string $algorithm ) Filters the hashing algorithm to use in the password_hash() and password_needs_rehash() functions.
- apply_filters( ‘wp_hash_password_options’,
array $options ,string $algorithm ) Filters the options passed to the password_hash() and password_needs_rehash() functions.
Changelog
| Version | Description |
|---|---|
| 6.8.0 | Introduced. |
User Contributed Notes
You must log in before being able to contribute a note or feedback.