if ( ! defined( "{$first}_{$second}" ) ) {
$value = constant( "{$first}_{$second}" );
$duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] );
$duplicated_keys['put your unique phrase here'] = true;
* translators: This string should only be translated if wp-config-sample.php is localized.
* You can check the localized release package or
* https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php
$duplicated_keys[ __( 'put your unique phrase here' ) ] = true;
* Determine which options to prime.
* If the salt keys are undefined, use a duplicate value or the
* default `put your unique phrase here` value the salt will be
* generated via `wp_generate_password()` and stored as a site
* option. These options will be primed to avoid repeated
* database requests for undefined salts.
$options_to_prime = array();
foreach ( array( 'auth', 'secure_auth', 'logged_in', 'nonce' ) as $key ) {
foreach ( array( 'key', 'salt' ) as $second ) {
$const = strtoupper( "{$key}_{$second}" );
if ( ! defined( $const ) || true === $duplicated_keys[ constant( $const ) ] ) {
$options_to_prime[] = "{$key}_{$second}";
if ( ! empty( $options_to_prime ) ) {
* Also prime `secret_key` used for undefined salting schemes.
* If the scheme is unknown, the default value for `secret_key` will be
* used too for the salt. This should rarely happen, so the option is only
* primed if other salts are undefined.
* At this point of execution it is known that a database call will be made
* to prime salts, so the `secret_key` option can be primed regardless of the
$options_to_prime[] = 'secret_key';
wp_prime_site_option_caches( $options_to_prime );
if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) ) {
$values['key'] = SECRET_KEY;
if ( 'auth' === $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) ) {
$values['salt'] = SECRET_SALT;
if ( in_array( $scheme, array( 'auth', 'secure_auth', 'logged_in', 'nonce' ), true ) ) {
foreach ( array( 'key', 'salt' ) as $type ) {
$const = strtoupper( "{$scheme}_{$type}" );
if ( defined( $const ) && constant( $const ) && empty( $duplicated_keys[ constant( $const ) ] ) ) {
$values[ $type ] = constant( $const );
} elseif ( ! $values[ $type ] ) {
$values[ $type ] = get_site_option( "{$scheme}_{$type}" );
if ( ! $values[ $type ] ) {
$values[ $type ] = wp_generate_password( 64, true, true );
update_site_option( "{$scheme}_{$type}", $values[ $type ] );
if ( ! $values['key'] ) {
$values['key'] = get_site_option( 'secret_key' );
if ( ! $values['key'] ) {
$values['key'] = wp_generate_password( 64, true, true );
update_site_option( 'secret_key', $values['key'] );
$values['salt'] = hash_hmac( 'md5', $scheme, $values['key'] );
$cached_salts[ $scheme ] = $values['key'] . $values['salt'];
/** This filter is documented in wp-includes/pluggable.php */
return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
if ( ! function_exists( 'wp_hash' ) ) :
* Gets the hash of the given string.
* The default algorithm is md5 but can be changed to any algorithm supported by
* `hash_hmac()`. Use the `hash_hmac_algos()` function to check the supported
* @since 6.8.0 The `$algo` parameter was added.
* @throws InvalidArgumentException if the hashing algorithm is not supported.
* @param string $data Plain text to hash.
* @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce).
* @param string $algo Hashing algorithm to use. Default: 'md5'.
* @return string Hash of $data.
function wp_hash( $data, $scheme = 'auth', $algo = 'md5' ) {
$salt = wp_salt( $scheme );
// Ensure the algorithm is supported by the hash_hmac function.
if ( ! in_array( $algo, hash_hmac_algos(), true ) ) {
throw new InvalidArgumentException(
/* translators: 1: Name of a cryptographic hash algorithm. 2: List of supported algorithms. */
__( 'Unsupported hashing algorithm: %1$s. Supported algorithms are: %2$s' ),
implode( ', ', hash_hmac_algos() )
return hash_hmac( $algo, $data, $salt );
if ( ! function_exists( 'wp_hash_password' ) ) :
* Creates a hash of a plain text password.
* For integration with other applications, this function can be overwritten to
* instead use the other package password hashing algorithm.
* @since 6.8.0 The password is now hashed using bcrypt by default instead of phpass.
* @global PasswordHash $wp_hasher phpass object.
* @param string $password Plain text user password to hash.
* @return string The hash string of the password.
function wp_hash_password(
if ( ! empty( $wp_hasher ) ) {
return $wp_hasher->HashPassword( trim( $password ) );
if ( strlen( $password ) > 4096 ) {
* Filters the hashing algorithm to use in the password_hash() and password_needs_rehash() functions.
* The default is the value of the `PASSWORD_BCRYPT` constant which means bcrypt is used.
* **Important:** The only password hashing algorithm that is guaranteed to be available across PHP
* installations is bcrypt. If you use any other algorithm you must make sure that it is available on
* the server. The `password_algos()` function can be used to check which hashing algorithms are available.
* The hashing options can be controlled via the {@see 'wp_hash_password_options'} filter.
* Other available constants include:
* @param string $algorithm The hashing algorithm. Default is the value of the `PASSWORD_BCRYPT` constant.
$algorithm = apply_filters( 'wp_hash_password_algorithm', PASSWORD_BCRYPT );
* Filters the options passed to the password_hash() and password_needs_rehash() functions.
* The default hashing algorithm is bcrypt, but this can be changed via the {@see 'wp_hash_password_algorithm'}
* filter. You must ensure that the options are appropriate for the algorithm in use.
* @param array $options Array of options to pass to the password hashing functions.
* By default this is an empty array which means the default
* @param string $algorithm The hashing algorithm in use.
$options = apply_filters( 'wp_hash_password_options', array(), $algorithm );
// Algorithms other than bcrypt don't need to use pre-hashing.
if ( PASSWORD_BCRYPT !== $algorithm ) {
return password_hash( $password, $algorithm, $options );
// Use SHA-384 to retain entropy from a password that's longer than 72 bytes, and a `wp-sha384` key for domain separation.
$password_to_hash = base64_encode( hash_hmac( 'sha384', trim( $password ), 'wp-sha384', true ) );
// Add a prefix to facilitate distinguishing vanilla bcrypt hashes.
return '$wp' . password_hash( $password_to_hash, $algorithm, $options );
if ( ! function_exists( 'wp_check_password' ) ) :
* Checks a plaintext password against a hashed password.
* Note that this function may be used to check a value that is not a user password.
* A plugin may use this function to check a password of a different type, and there
* may not always be a user ID associated with the password.
* For integration with other applications, this function can be overwritten to
* instead use the other package password hashing algorithm.
* @since 6.8.0 Passwords in WordPress are now hashed with bcrypt by default. A
* password that wasn't hashed with bcrypt will be checked with phpass.
* @global PasswordHash $wp_hasher phpass object. Used as a fallback for verifying
* passwords that were hashed with phpass.
* @param string $password Plaintext password.
* @param string $hash Hash of the password to check against.
* @param string|int $user_id Optional. ID of a user associated with the password.
* @return bool False, if the $password does not match the hashed password.
function wp_check_password(
if ( strlen( $hash ) <= 32 ) {
// Check the hash using md5 regardless of the current hashing mechanism.
$check = hash_equals( $hash, md5( $password ) );
} elseif ( ! empty( $wp_hasher ) ) {
// Check the password using the overridden hasher.
$check = $wp_hasher->CheckPassword( $password, $hash );
} elseif ( strlen( $password ) > 4096 ) {
// Passwords longer than 4096 characters are not supported.
} elseif ( str_starts_with( $hash, '$wp' ) ) {
// Check the password using the current prefixed hash.
$password_to_verify = base64_encode( hash_hmac( 'sha384', $password, 'wp-sha384', true ) );
$check = password_verify( $password_to_verify, substr( $hash, 3 ) );
} elseif ( str_starts_with( $hash, '$P$' ) ) {
// Check the password using phpass.
require_once ABSPATH . WPINC . '/class-phpass.php';
$check = ( new PasswordHash( 8, true ) )->CheckPassword( $password, $hash );
// Check the password using compat support for any non-prefixed hash.
$check = password_verify( $password, $hash );
* Filters whether the plaintext password matches the hashed password.
* @since 6.8.0 Passwords are now hashed with bcrypt by default.
* Old passwords may still be hashed with phpass or md5.
* @param bool $check Whether the passwords match.
* @param string $password The plaintext password.
* @param string $hash The hashed password.
* @param string|int $user_id Optional ID of a user associated with the password.
return apply_filters( 'check_password', $check, $password, $hash, $user_id );
if ( ! function_exists( 'wp_password_needs_rehash' ) ) :
* Checks whether a password hash needs to be rehashed.
* Passwords are hashed with bcrypt using the default cost. A password hashed in a prior version
* of WordPress may still be hashed with phpass and will need to be rehashed. If the default cost
* or algorithm is changed in PHP or WordPress then a password hashed in a previous version will
* Note that, just like wp_check_password(), this function may be used to check a value that is
* not a user password. A plugin may use this function to check a password of a different type,
* and there may not always be a user ID associated with the password.
* @global PasswordHash $wp_hasher phpass object.
* @param string $hash Hash of a password to check.
* @param string|int $user_id Optional. ID of a user associated with the password.
* @return bool Whether the hash needs to be rehashed.
function wp_password_needs_rehash( $hash, $user_id = '' ) {
if ( ! empty( $wp_hasher ) ) {
/** This filter is documented in wp-includes/pluggable.php */
$algorithm = apply_filters( 'wp_hash_password_algorithm', PASSWORD_BCRYPT );
/** This filter is documented in wp-includes/pluggable.php */
$options = apply_filters( 'wp_hash_password_options', array(), $algorithm );
$prefixed = str_starts_with( $hash, '$wp' );
if ( ( PASSWORD_BCRYPT === $algorithm ) && ! $prefixed ) {
// If bcrypt is in use and the hash is not prefixed then it needs to be rehashed.
// Otherwise check the hash minus its prefix if necessary.
$hash_to_check = $prefixed ? substr( $hash, 3 ) : $hash;
$needs_rehash = password_needs_rehash( $hash_to_check, $algorithm, $options );
* Filters whether the password hash needs to be rehashed.
* @param bool $needs_rehash Whether the password hash needs to be rehashed.
* @param string $hash The password hash.
* @param string|int $user_id Optional. ID of a user associated with the password.
return apply_filters( 'password_needs_rehash', $needs_rehash, $hash, $user_id );
if ( ! function_exists( 'wp_generate_password' ) ) :
* Generates a random password drawn from the defined set of characters.
* Uses wp_rand() to create passwords with far less predictability
* than similar native PHP functions like `rand()` or `mt_rand()`.
* @param int $length Optional. The length of password to generate. Default 12.
* @param bool $special_chars Optional. Whether to include standard special characters.
* @param bool $extra_special_chars Optional. Whether to include other special characters.
* Used when generating secret keys and salts. Default false.
* @return string The random password.
function wp_generate_password( $length = 12, $special_chars = true, $extra_special_chars = false ) {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
if ( $extra_special_chars ) {
$chars .= '-_ []{}<>~`+=,.;:/?|';
for ( $i = 0; $i < $length; $i++ ) {
$password .= substr( $chars, wp_rand( 0, strlen( $chars ) - 1 ), 1 );
* Filters the randomly-generated password.
* @since 5.3.0 Added the `$length`, `$special_chars`, and `$extra_special_chars` parameters.
* @param string $password The generated password.
* @param int $length The length of password to generate.
* @param bool $special_chars Whether to include standard special characters.
* @param bool $extra_special_chars Whether to include other special characters.
return apply_filters( 'random_password', $password, $length, $special_chars, $extra_special_chars );
if ( ! function_exists( 'wp_rand' ) ) :
* Generates a random non-negative number.
* @since 4.4.0 Uses PHP7 random_int() or the random_compat library if available.
* @since 6.1.0 Returns zero instead of a random number if both `$min` and `$max` are zero.
* @global string $rnd_value
* @param int $min Optional. Lower limit for the generated number.
* Accepts positive integers or zero. Defaults to 0.
* @param int $max Optional. Upper limit for the generated number.
* Accepts positive integers. Defaults to 4294967295.
* @return int A random non-negative number between min and max.
function wp_rand( $min = null, $max = null ) {
* Some misconfigured 32-bit environments (Entropy PHP, for example)
* truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
$max_random_number = 3000000000 === 2147483647 ? (float) '4294967295' : 4294967295; // 4294967295 = 0xffffffff
$max = $max_random_number;
// We only handle ints, floats are truncated to their integer value.
// Use PHP's CSPRNG, or a compatible method.
static $use_random_int_functionality = true;
if ( $use_random_int_functionality ) {
// wp_rand() can accept arguments in either order, PHP cannot.
$_max = max( $min, $max );
$_min = min( $min, $max );
$val = random_int( $_min, $_max );
$use_random_int_functionality = false;
$use_random_int_functionality = false;
} catch ( Exception $e ) {
$use_random_int_functionality = false;
* Reset $rnd_value after 14 uses.
* 32 (md5) + 40 (sha1) + 40 (sha1) / 8 = 14 random numbers from $rnd_value.
if ( strlen( $rnd_value ) < 8 ) {
if ( defined( 'WP_SETUP_CONFIG' ) ) {
$seed = get_transient( 'random_seed' );
$rnd_value = md5( uniqid( microtime() . mt_rand(), true ) . $seed );
$rnd_value .= sha1( $rnd_value );
$rnd_value .= sha1( $rnd_value . $seed );
$seed = md5( $seed . $rnd_value );
if ( ! defined( 'WP_SETUP_CONFIG' ) && ! defined( 'WP_INSTALLING' ) ) {
set_transient( 'random_seed', $seed );
// Take the first 8 digits for our value.
$value = substr( $rnd_value, 0, 8 );
// Strip the first eight, leaving the remainder for the next call to wp_rand().
$rnd_value = substr( $rnd_value, 8 );
$value = abs( hexdec( $value ) );
// Reduce the value to be within the min - max range.
$value = $min + ( $max - $min + 1 ) * $value / ( $max_random_number + 1 );
return abs( (int) $value );
if ( ! function_exists( 'wp_set_password' ) ) :
* Updates the user's password with a new hashed one.
* For integration with other applications, this function can be overwritten to
* instead use the other package password checking algorithm.
* Please note: This function should be used sparingly and is really only meant for single-time
* application. Leveraging this improperly in a plugin or theme could result in an endless loop
* of password resets if precautions are not taken to ensure it does not execute on every page load.
* @since 6.8.0 The password is now hashed using bcrypt by default instead of phpass.
* @global wpdb $wpdb WordPress database abstraction object.
* @param string $password The plaintext new user password.
* @param int $user_id User ID.
function wp_set_password(
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
