explore

Footprints

Open the places and fragments left along the way

construction

Tools

A growing place for small tools and experiments

person

About

Learn who I am and what this site keeps circling back to

Theme

Switch to a reading atmosphere that fits the moment

Language

Switch the language of articles and moments

Recent Status

“MacBook Pro 16-inch in Space Gray, powered by the M2 Max chip (12-core CPU + 38-core GPU), with 96GB RAM and 8TB storage. US version, minor…

arrow_backBack to Toolbox

WordPress 6.8+ · $wp$2y$ · SHA-384 + bcrypt

WordPress Password Hash Generator

Manually reset or migrate WordPress 6.8+ user passwords by generating $wp$2y$ hashes locally in the browser, with side-by-side notes on modern bcrypt and legacy $P$ phpass hashes.

Generated Hash

Enter a password and the generated $wp$2y$ hash will appear here.

Version Support and Examples

This tool is for the `wp_users.user_pass` field in WordPress 6.8 and later. Legacy phpass hashes usually start with `$P$`; the new default user password hashes usually start with `$wp$2y$`. The examples below show both formats.

Legacy Example (common phpass before 6.8)
$P$Bxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Modern Example (default user password from 6.8)
$wp$2y$12$example-hash-body

What Changed in WordPress 6.8

Starting in WordPress 6.8, `wp_hash_password()` no longer creates phpass portable hashes by default. It HMAC-SHA-384 pre-hashes the password with `wp-sha384`, base64 encodes that digest, then passes it to bcrypt. `wp_check_password()` still accepts old `$P$` hashes and some legacy MD5 hashes; after login or password change, old hashes are opportunistically upgraded.

Source and Limits

The basis is the WordPress Core 6.8 dev note and the current `wp_hash_password()` source. This is not for post passwords, WordPress 6.7-and-earlier-only sites, or installations that changed `wp_hash_password_algorithm` to Argon2 or another algorithm. The bcrypt cost is embedded in the hash and WordPress can verify it; if your site default differs, WordPress may later mark it as needing rehash.

WordPress Core 6.8 dev noteopen_in_new

FAQ

Which WordPress version does this apply to?

WordPress 6.8 and later use SHA-384 pre-hashed bcrypt for user passwords by default and store them with a `$wp$2y$` prefix.

Do `$P$` hashes still work?

Yes. WordPress 6.8+ still verifies legacy phpass `$P$` hashes, then upgrades them after the user logs in or changes their password.

Is my password uploaded?

No. HMAC-SHA-384 and bcrypt run in the current browser and do not call this site's server.