wp_check_password

Checks the plaintext password against the encrypted Password.

Description

wp_check_password( (string) $password, (string) $hash, (string) $user_id = '' ); 

Maintains compatibility between old version and the new cookie authentication protocol using PHPass library. The $hash parameter is the encrypted password and the function compares the plain text password when encrypted similarly against the already encrypted password to see if they match.

For integration with other applications, this function can be overwritten to instead use the other package password checking algorithm.

Parameters (3)

0. $password (string)
Plaintext user's password
1. $hash (string)
Hash of the user's password to check against.
2. $user_id — Optional. (string) => ''
User ID.

Usage

  1. if ( !function_exists( 'wp_check_password' ) ) { 
  2. require_once ABSPATH . WPINC . '/pluggable.php'; 
  3.  
  4. // Plaintext user's password 
  5. $password = ''; 
  6.  
  7. // Hash of the user's password to check against. 
  8. $hash = ''; 
  9.  
  10. // Optional. User ID. 
  11. $user_id = ''; 
  12.  
  13. // NOTICE! Understand what this does before running. 
  14. $result = wp_check_password($password, $hash, $user_id); 
  15.  

Defined (1)

The function is defined in the following location(s).

/wp-includes/pluggable.php  
  1. function wp_check_password($password, $hash, $user_id = '') { 
  2. global $wp_hasher; 
  3.  
  4. // If the hash is still md5... 
  5. if ( strlen($hash) <= 32 ) { 
  6. $check = hash_equals( $hash, md5( $password ) ); 
  7. if ( $check && $user_id ) { 
  8. // Rehash using new hash. 
  9. wp_set_password($password, $user_id); 
  10. $hash = wp_hash_password($password); 
  11.  
  12. /** 
  13. * Filters whether the plaintext password matches the encrypted password. 
  14. * @since 2.5.0 
  15. * @param bool $check Whether the passwords match. 
  16. * @param string $password The plaintext password. 
  17. * @param string $hash The hashed password. 
  18. * @param string|int $user_id User ID. Can be empty. 
  19. */ 
  20. return apply_filters( 'check_password', $check, $password, $hash, $user_id ); 
  21.  
  22. // If the stored hash is longer than an MD5, presume the 
  23. // new style phpass portable hash. 
  24. if ( empty($wp_hasher) ) { 
  25. // By default, use the portable hash from phpass 
  26. $wp_hasher = new PasswordHash(8, true); 
  27.  
  28. $check = $wp_hasher->CheckPassword($password, $hash); 
  29.  
  30. /** This filter is documented in wp-includes/pluggable.php */ 
  31. return apply_filters( 'check_password', $check, $password, $hash, $user_id );