Roots Discourse

Improving WordPress Passwords Security


#1

Originally published at: https://roots.io/improving-wordpress-password-security/
We’ve released the wp-password-bcrypt plugin to improve WordPress password security by using bcrypt instead of insecure MD5 password hashing. March 21st update: see the follow-up post on password security for more information and corrections on some errors made in this post. WordPress, and its community, love to parrot that it powers 25% of the web.…


#2

Great article Scott! This plugin looks awesome. You might also want to mention which versions of WordPress are currently supported with security patches as well. I think it’s only the last 3-4 versions but it’s not very clear.


#3

Looks awesome. Thanks for releasing this and all of your other awesome work.

Quick, clarifying question, if I add this to an existing site, do I need to reset all existing passwords?


#4

how does this diff from https://en-gb.wordpress.org/plugins/wp-bcrypt/changelog/


#5

Did you compare the source of the two? They are very different.

That plugin continues the use the PasswordHash class. Our plugin uses the built-in PHP functions.

That plugin also cares about old versions of PHP and shows admin notices. We don’t care about old unsupported versions.


#6

If you add https://github.com/ircmaxell/password_compat to this plugin, it can be used on PHP versions all the way back to 5.3.7. Anthony ported the PHP 5.5 password functions from the C code of the internal implementation back into PHP for those versions.

Technically, it also works in older versions than 5.3.7, but those older versions had a vulnerability in their bcrypt implementation, so it doesn’t really help to use bcrypt in them.


#7

@kohenkatz yeah I was aware of that library, but Roots takes a hard stance with PHP versions. We advocate using supported version of PHP. 5.3 and 5.4 are no longer supported.

That’s why we made the plugin >= 5.5 only which is still supported (for another 4 months).


#8

@swalkinshaw Sounds good to me.

I have been lucky enough to require only PHP 7 on most of my projects, but we’re still some time away from PHP 5.6 EOL, so not everyone can do that.


#9

This is fantastic. Thank you!


#10

Great post! Using this right away!

Once installed, all passwords have to be regenerated to be saved with bcrypt right? It wouldn’t retroactively create them?


#11

@aaronjheinen added an FAQ which addresses this: https://github.com/roots/wp-password-bcrypt#faq


#12

Pretty handy it does it upon login rather than having to reset your p/w

:grinning:


#13

Shouldn’t Argon2 be implemented?


#14

Ideally we’d use Argon2 since it won the password hashing competition. People smarter than me say it’s better than bcrypt.

But, bcrypt is implemented in PHP by default. You don’t need any external extensions to enable it. bcrypt is also “good enough” and a million times better than MD5. It’s a trade off but this way anyone (on PHP >= 5.5) can easily install the plugin and have much better password security.


#15

Thank you very very much for writing this plugin and sending the newsletter about it. Already in mu-plugins/ on our sites!


#16

It’s surprisingly that WP doesn’t take this more seriously, specially when this could be affecting the security of 1/4 of all internet websites :open_mouth:

Awesome work by the Roots Team!


#17

The benefit of using PHP’s newer password functions is that it allows for Argon2, or some other even better hashing algorithm, to be implemented as the default in the future. When PHP encounters a string hashed with bcrypt, it can seamlessly upgrade the hash on authentication. So we get the benefit of improved security with bcrypt over MD5+salt now, and continue to benefit from improvements in the future without having to modify our code.


#18

Any plans to add this to the WordPress.org Plugin Directory? That way it could be easily installed and upgraded across multiple sites, without having to sideload it from GitHub.


#19

Yeah, correct. That’s the plan for this plugin since it just uses the built-in functions. Despite our awkward plugin name choice of including bcrypt :see_no_evil:


#20

Not really. We generally avoid the “.org” ecosystem. However, it might be pretty simple to just publish this plugin there. I have no idea what the process is and I don’t really want to get into SVN :frowning:

I also recently found out that they lint plugins against PHP 5.3 (I think), so if you use newer PHP syntax in your plugins it won’t be accepted. Going by a 3rd party tweet here so hopefully that’s correct.

edit: https://twitter.com/soulseekah/status/702227207767330816