Generate WordPress-compatible password hashes (phpass) and verify existing hashes directly in your browser.
{{ hash }}Enter a password to generate a WordPress hash.
| {{ __t('info_algorithm') }} | {{ hashInfo.algorithm }} |
| {{ __t('info_iterations') }} | {{ hashInfo.iterations }} |
| {{ __t('info_salt') }} | {{ hashInfo.salt }} |
| {{ __t('info_valid_format') }} | {{ hashInfo.valid ? '✓' : '✗' }} |
WordPress uses the phpass (PHPass) library to hash passwords. It employs iterated MD5 hashing with a random salt. The resulting hashes are prefixed with $P$ (or $H$) and are 34 characters long. These hashes are stored in the wp_users table in the user_pass column. While MD5 alone is considered insecure, the many iterations provide additional protection against brute-force attacks.
The phpass algorithm first generates a random 8-character salt. The hash starts with the prefix $P$, followed by a character indicating the iteration count (e.g., B = 8,192 iterations) and the salt. Then MD5 is applied repeatedly: first to salt + password, then the result is hashed again together with the password — 8,192 times in total. The binary result is then converted to a readable string using a custom base64 encoding. The final hash is always 34 characters long.
Yes. All calculations run entirely in your browser using JavaScript. No passwords or hashes are sent to a server. You can verify this at any time by checking the Network tab in your browser's developer tools.