wpseek.com
A WordPress-centric search engine for devs and theme authors



wp_check_password › WordPress Function

Since2.5.0
Deprecatedn/a
wp_check_password ( $password, $hash, $user_id = '' )
Parameters: (3)
  • (string) $password Plaintext user's password.
    Required: Yes
  • (string) $hash Hash of the user's password to check against.
    Required: Yes
  • (string|int) $user_id Optional. User ID.
    Required: No
    Default: (empty)
Uses:
  • PasswordHash::CheckPassword
Returns:
  • (bool) False, if the $password does not match the hashed password.
Defined at:
Codex:

Checks a plaintext password against a hashed password.

Maintains compatibility between old version and the new cookie authentication protocol using PHPass library. The $hash parameter is the encrypted password and the function compares the plain text password when encrypted similarly against the already encrypted password to see if they match. For integration with other applications, this function can be overwritten to instead use the other package password hashing algorithm.


Related Functions: wp_set_password, wp_hash_password, wp_get_password_hint, wp_generate_password, check_password_reset_key

Source 

function wp_check_password( $password, $hash, $user_id = '' ) {
		global $wp_hasher;

		// If the hash is still md5...
		if ( strlen( $hash ) <= 32 ) {
			$check = hash_equals( $hash, md5( $password ) );
			if ( $check && $user_id ) {
				// Rehash using new hash.
				wp_set_password( $password, $user_id );
				$hash = wp_hash_password( $password );
			}

			/**
			 * Filters whether the plaintext password matches the encrypted password.
			 *
			 * @since 2.5.0
			 *
			 * @param bool       $check    Whether the passwords match.
			 * @param string     $password The plaintext password.
			 * @param string     $hash     The hashed password.
			 * @param string|int $user_id  User ID. Can be empty.
			 */
			return apply_filters( 'check_password', $check, $password, $hash, $user_id );
		}

		/*
		 * If the stored hash is longer than an MD5,
		 * presume the new style phpass portable hash.
		 */
		if ( empty( $wp_hasher ) ) {
			require_once ABSPATH . WPINC . '/class-phpass.php';
			// By default, use the portable hash from phpass.
			$wp_hasher = new PasswordHash( 8, true );
		}

		$check = $wp_hasher->CheckPassword( $password, $hash );

		/** This filter is documented in wp-includes/pluggable.php */
		return apply_filters( 'check_password', $check, $password, $hash, $user_id );
	}
endif;

if ( ! function_exists( 'wp_generate_password' ) ) :
	/**
	 * Generates a random password drawn from the defined set of characters.
	 *
	 * Uses wp_rand() to create passwords with far less predictability
	 * than similar native PHP functions like `rand()` or `mt_rand()`.
	 *
	 * @since 2.5.0
	 *
	 * @param int  $length              Optional. The length of password to generate. Default 12.
	 * @param bool $special_chars       Optional. Whether to include standard special characters.
	 *                                  Default true.
	 * @param bool $extra_special_chars Optional. Whether to include other special characters.
	 *                                  Used when generating secret keys and salts. Default false.
	 * @return string The random password.
	 */