wpseek.com
A WordPress-centric search engine for devs and theme authors

function wp_hash_password(
		#[\SensitiveParameter]
		$password
	) {
		global $wp_hasher;

		if ( ! empty( $wp_hasher ) ) {
			return $wp_hasher->HashPassword( trim( $password ) );
		}

		if ( strlen( $password ) > 4096 ) {
			return '*';
		}

		/**
		 * Filters the hashing algorithm to use in the password_hash() and password_needs_rehash() functions.
		 *
		 * The default is the value of the `PASSWORD_BCRYPT` constant which means bcrypt is used.
		 *
		 * **Important:** The only password hashing algorithm that is guaranteed to be available across PHP
		 * installations is bcrypt. If you use any other algorithm you must make sure that it is available on
		 * the server. The `password_algos()` function can be used to check which hashing algorithms are available.
		 *
		 * The hashing options can be controlled via the {@see 'wp_hash_password_options'} filter.
		 *
		 * Other available constants include:
		 *
		 * - `PASSWORD_ARGON2I`
		 * - `PASSWORD_ARGON2ID`
		 * - `PASSWORD_DEFAULT`
		 *
		 * The values of the algorithm constants are strings in PHP 7.4+ and integers in PHP 7.3 and earlier.
		 *
		 * @since 6.8.0
		 *
		 * @param string|int $algorithm The hashing algorithm. Default is the value of the `PASSWORD_BCRYPT` constant.
		 */
		$algorithm = apply_filters( 'wp_hash_password_algorithm', PASSWORD_BCRYPT );

		/**
		 * Filters the options passed to the password_hash() and password_needs_rehash() functions.
		 *
		 * The default hashing algorithm is bcrypt, but this can be changed via the {@see 'wp_hash_password_algorithm'}
		 * filter. You must ensure that the options are appropriate for the algorithm in use.
		 *
		 * The values of the algorithm constants are strings in PHP 7.4+ and integers in PHP 7.3 and earlier.
		 *
		 * @since 6.8.0
		 *
		 * @param array      $options   Array of options to pass to the password hashing functions.
		 *                              By default this is an empty array which means the default
		 *                              options will be used.
		 * @param string|int $algorithm The hashing algorithm in use.
		 */
		$options = apply_filters( 'wp_hash_password_options', array(), $algorithm );

		// Algorithms other than bcrypt don't need to use pre-hashing.
		if ( PASSWORD_BCRYPT !== $algorithm ) {
			return password_hash( $password, $algorithm, $options );
		}

		// Use SHA-384 to retain entropy from a password that's longer than 72 bytes, and a `wp-sha384` key for domain separation.
		$password_to_hash = base64_encode( hash_hmac( 'sha384', trim( $password ), 'wp-sha384', true ) );

		// Add a prefix to facilitate distinguishing vanilla bcrypt hashes.
		return '$wp' . password_hash( $password_to_hash, $algorithm, $options );
	}
endif;

if ( ! function_exists( 'wp_check_password' ) ) :
	/**
	 * Checks a plaintext password against a hashed password.
	 *
	 * Note that this function may be used to check a value that is not a user password.
	 * A plugin may use this function to check a password of a different type, and there
	 * may not always be a user ID associated with the password.
	 *
	 * For integration with other applications, this function can be overwritten to
	 * instead use the other package password hashing algorithm.
	 *
	 * @since 2.5.0
	 * @since 6.8.0 Passwords in WordPress are now hashed with bcrypt by default. A
	 *              password that wasn't hashed with bcrypt will be checked with phpass.
	 *
	 * @global PasswordHash $wp_hasher phpass object. Used as a fallback for verifying
	 *                                 passwords that were hashed with phpass.
	 *
	 * @param string     $password Plaintext password.
	 * @param string     $hash     Hash of the password to check against.
	 * @param string|int $user_id  Optional. ID of a user associated with the password.
	 * @return bool False, if the $password does not match the hashed password.
	 */