WordPress 6.8 is introducing bcrypt for password hashing, replacing its outdated MD5-based system. This update is one of the most significant security enhancements in recent years, affecting millions of websites worldwide. With WordPress powering over 40% of the internet, the shift to bcrypt is a crucial step toward stronger security and better protection for user credentials.
For years, WordPress has relied on the Portable PHP Password Hashing Framework (PHPPass), which primarily uses MD5-based hashing. While this was once a reliable choice, advancements in computing power have made MD5 highly vulnerable to brute-force attacks. Cybercriminals can crack weak hashes in minutes using modern GPUs, leaving WordPress websites exposed to security risks.
By integrating bcrypt, WordPress is aligning with modern security standards and making it significantly more difficult for hackers to exploit stolen password hashes. This upgrade brings several benefits, not only for end users but also for website owners and developers.
Why Is WordPress Moving to bcrypt?
One of the main reasons for this transition is that MD5-based hashing is no longer suitable for securing passwords in today’s digital landscape. Attackers can use powerful hardware and specialized cracking tools to process millions—or even billions—of MD5 hashes per second.
To illustrate the risks of continuing with MD5:
- A mid-range GPU can test over 200 billion MD5 hashes per second.
- In comparison, bcrypt is designed to be computationally expensive, meaning it intentionally slows down the hashing process to make brute-force attacks infeasible.
Given these vulnerabilities, it was only a matter of time before WordPress had to adopt a stronger password hashing mechanism. With this update, WordPress joins the ranks of other platforms like Django, Laravel, and Linux, all of which have relied on bcrypt for years.
How Does bcrypt Improve WordPress Security?
bcrypt is not just a stronger alternative—it is specifically designed to address the shortcomings of older hashing algorithms like MD5 and SHA-1. Here are the key improvements that bcrypt brings to WordPress security:
1. Increased Resistance to Brute-Force Attacks
One of bcrypt’s core features is that it is deliberately slow. Unlike MD5, which is optimized for speed, bcrypt’s computational cost makes brute-force attacks significantly more difficult. By requiring more processing power per password attempt, bcrypt ensures that even if an attacker obtains a database of hashed passwords, they will face extreme difficulty in cracking them.
2. Adaptive Security with Cost Factor
bcrypt includes a work factor (also known as cost factor) that determines how much processing power is required to hash a password. The best part is that this factor can be increased over time as computers become more powerful. This means that even if future hardware makes password cracking easier, WordPress can adjust the cost factor without changing the underlying algorithm, maintaining strong security.
3. Built-In Salting for Stronger Protection
Salting is a process where random data is added to each password before hashing, ensuring that even if two users have the same password, their hashes will be different. bcrypt automatically generates unique salts, which prevents attackers from using precomputed hash tables (rainbow tables) to crack passwords quickly.
4. Better Compatibility with Modern Authentication Standards
bcrypt is an industry-standard hashing algorithm used by many modern authentication systems, making it easier for developers to integrate with other security frameworks. With WordPress switching to bcrypt, third-party developers working on authentication plugins or custom login mechanisms will find it easier to build secure solutions that align with best practices.
How Will the bcrypt Transition Work?
For most WordPress site owners and users, the switch to bcrypt will be seamless. The transition process is designed to happen gradually and automatically, ensuring that there are no disruptions to website functionality. Here’s how it will work:
- Users log in after updating to WordPress 6.8.
- WordPress checks if the user’s password is still hashed using the older MD5-based system.
- If it is, WordPress rehashes the password using bcrypt and stores the new hash in the database.
- From that point forward, the system will only verify the password using bcrypt.
Over time, as more users log in, their password hashes will be automatically upgraded. This ensures that security improvements take effect without requiring users to manually reset their passwords.
What This Means for WordPress Website Owners and Developers
For Website Owners
If you manage a WordPress website, this change will improve security without requiring any action on your part. Once you update to WordPress 6.8, your users’ passwords will be progressively upgraded to bcrypt as they log in. There is no need to worry about manually updating anything, as WordPress will handle everything in the background.
For Developers and Plugin Creators
Developers who work with authentication systems, custom login mechanisms, or password-related functionality should ensure that their plugins are compatible with bcrypt. Since older plugins may assume passwords are stored using MD5-based hashing, they could break if they are not updated to support the new system.
To avoid potential issues, developers should:
- Review their code to ensure it does not rely on MD5-based hashing.
- Check for bcrypt compatibility in custom authentication plugins.
- Test user authentication processes after updating to WordPress 6.8.
If a plugin uses custom password validation, developers may need to rewrite portions of their code to properly interact with the new bcrypt-based system.
Why This Update Is Critical for WordPress Security
The timing of this change is significant because cyberattacks on WordPress websites have been steadily increasing. Security reports indicate that:
- More than 30 billion login credentials were leaked in data breaches last year alone.
- Credential stuffing attacks (where attackers try leaked passwords on multiple sites) surged by 45% in 2024.
- WordPress websites experience an average of 90,000 attacks per minute, with weak passwords being a primary target.
By switching to bcrypt, WordPress is proactively strengthening password security before a widespread exploit occurs. This ensures that millions of websites remain protected against evolving cyber threats.
Final Thoughts
WordPress 6.8’s move to bcrypt is one of the most important security updates in recent memory. By abandoning its outdated MD5-based hashing system, WordPress is bringing its password security in line with modern best practices.
For website owners, this upgrade happens behind the scenes—all you need to do is update WordPress to the latest version. For developers, now is the time to check for bcrypt compatibility and make any necessary adjustments to custom authentication systems.
As cyber threats continue to evolve, this change reinforces WordPress’s commitment to protecting users and website data. With bcrypt now handling password hashing, WordPress sites will be much harder targets for brute-force attacks and credential theft.
Have thoughts on this update? Feel free to share your perspective. The security of the web is always evolving, and staying informed is the first step toward staying protected.
Suggested Reads:
Zeekr 007: Sub-10-Minute EV Charging with Golden Battery
Startup Tech Stack 2025: Your Ultimate Guide
Frontend Developer Roadmap 2025: Your Complete Guide
Burhan Ahmad is a Senior Content Editor at Technado, with a strong focus on tech, software development, cybersecurity, and digital marketing. He has previously contributed to leading digital platforms, delivering insightful content in these areas.
