WordPress 6.8 Drops MD5 for Password Hashing, Strengthens Site Security

Leave a Comment / News / By

July 2025 โ€” WordPress has officially retired the use of the outdated MD5 hashing algorithm for password storage, marking a major milestone in its ongoing efforts to strengthen user security.

With the release of WordPress 6.8, the platform has transitioned to using more secure password hashing methods, such as bcrypt or Argon2, depending on server support. This change aligns WordPress with modern security best practices and helps protect websites from brute-force and hash-cracking attacks.

๐Ÿ” Why MD5 Had to Go

MD5, once widely used for password hashing, has long been considered vulnerable to various types of attacks, including collision and rainbow table attacks. Although WordPress had previously improved password hashing by salting MD5 hashes, the core still supported MD5 for backward compatibility.

WordPress 6.8 officially phases out MD5 for any new password hashes, ensuring that newly created or updated user passwords are stored using much more robust algorithms.

๐Ÿ” What About Existing Passwords?

The update maintains backward compatibility:

  • Existing MD5-hashed passwords will still work.
  • When a user logs in with a legacy password, WordPress will verify it using MD5, then re-hash and update it using the newer algorithm in the database.

๐Ÿ‘จโ€๐Ÿ’ป What Developers Need to Know

Plugin and theme developers should take note of these critical points:

  • Avoid using MD5 for any password checks.
  • Always use wp_check_password() for validating passwords and wp_hash_password() for creating hashes.
  • Custom login systems or third-party integrations that rely on MD5 may break or behave unpredictably if not updated.

๐Ÿ›ก๏ธ A Big Step Toward a Safer Web

This move underscores WordPressโ€™s commitment to improving security for its vast global user base. Website owners are encouraged to update to WordPress 6.8 as soon as possible and audit their plugins and custom code for any reliance on MD5.

For developers and agencies managing WordPress sites at scale, now is the time to verify your authentication processes are using WordPress’s built-in functions, which automatically handle secure password hashing.

Stay updated with the latest WordPress news, and follow best practices to keep your website safe, secure, and future-proof.

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe