WordPress Password Hash Generator

Generate and verify WordPress phpass password hashes client-side. Uses the same MD5-based iterated hash algorithm as WordPress core — no server, no data sent.

Generate Hash

Hash starts with $P$B — compatible with WordPress, WooCommerce, and bbPress.

Verify Hash

Match — password is correct
No match — wrong password

What is a WordPress phpass Hash?

WordPress stores passwords using the phpass (Portable PHP Password Hashing Framework) algorithm — a salted, iterated MD5 scheme. Every password hash starts with $P$B: the $P$ prefix identifies the phpass format, and B encodes an iteration count of 13 (meaning 2¹³ = 8,192 MD5 rounds). The same algorithm is used by WooCommerce, bbPress, and any WordPress plugin that delegates to the core wp_hash_password() function. This generator runs the full algorithm in your browser — no password is ever sent to a server.

How the phpass algorithm works

phpass generates an 8-character random salt from the ./0-9A-Za-z alphabet, prepends it to the password, and hashes the result with MD5. It then runs MD5 another 2^N−1 times (N = iteration count), always appending the original password bytes to the previous hash before each round. The final hash bytes are encoded with a custom base64 alphabet in 6-bit little-endian groups. The result is a deterministic 34-character string given the same salt and iteration count — each call generates a fresh random salt, so the same password produces a different hash every time.

Frequently Asked Questions

How do I update a WordPress password directly in the database?

Generate a hash with this tool, then run: UPDATE wp_users SET user_pass = '$P$B...' WHERE user_login = 'admin'; against your WordPress database. WordPress will accept the new hash immediately — no cache flush needed. This is useful when you're locked out and can't use the password reset email flow.

Why does WordPress use MD5 instead of bcrypt or Argon2?

WordPress adopted phpass in 2008 for shared-hosting compatibility — bcrypt required PHP extensions that weren't universally available. Modern WordPress (since 6.8) uses bcrypt via password_hash() for new passwords, but continues to verify phpass hashes for backwards compatibility. Existing $P$ hashes remain valid and are transparently re-hashed to bcrypt on the next successful login.

Is phpass secure enough for production?

By modern standards, iterated MD5 is weaker than bcrypt, scrypt, or Argon2 because MD5 is very fast on GPUs. With 8,192 iterations a modern GPU can test hundreds of millions of guesses per second. For new WordPress installations, ensure you're on WordPress 6.8+ which uses bcrypt. If you're maintaining a legacy site, consider adding a plugin that upgrades hashes to bcrypt on login.

What other applications use phpass?

phpass was widely adopted by PHP applications in the 2008–2014 era: Drupal 7 (uses a variant with different prefix), older versions of Joomla, phpBB3, and MediaWiki. If you're verifying hashes from these systems, check whether they use the $P$ (WordPress/phpass standard) or $H$ (phpBB3 variant) prefix — both use the same algorithm but the prefix differs.

Related tools