Rolling out bcrypt password hashing

We’ve just started rolling out a change across all of the sites we host, to improve the security of user passwords.

WordPress is very widely used. Because of this, WordPress’s development team often make decisions that keep WordPress compatible with a wide range of hosting environments. Sometimes, this comes at the cost of potential security improvements.

One of these decisions affects the way WordPress stores passwords. Passwords are stored as hashes: scrambled versions which can’t be read. In the unlikely event that user data from the database were exposed to an attacker, passwords being hashed means that it would be much harder for the attacker to use that data.

The only way to get back to a usable password from a hashed one is to attempt to guess what the original password was. Software has been written which, when used to guess WordPress’s hashed passwords, can make hundreds of thousands of these guesses every second. That’s awfully quick. WordPress uses these hashes because they’re more compatible with lots of hosting environments, but that’s not something we need to worry about.

bcrypt is much harder to attack, because it’s hundreds of times slower for an attacker to guess passwords. In the event that a site we host was attacked and the attackers got hold of the database, bcrypt makes it much harder for them to do anything bad with it.

Password security is just one of the ways we protect our clients’ WordPress sites and their users’ data. If you’d like to talk to us about secure WordPress hosting, do get in touch. Or, if you want to enable bcrypt password hashing on your sites, you can download our free plugin. (We’ve submitted it to the Codex but it’s not there yet.)