Generate WordPress Password Hashes — Free phpass Hash Creator

Type your new password, select your WordPress version, and this free WordPress password hash generator instantly outputs the correct hash — phpass ($P$) for WordPress 3.x–6.7 or bcrypt ($wp$2y$) for WordPress 6.8+ — matching the exact format WordPress core uses internally. Copy the hash directly or grab the ready-made SQL UPDATE query to paste into phpMyAdmin and reset any WordPress account in seconds. A password generator removes guesswork from password creation — every result is random and meets modern complexity requirements.

WordPress Password Hash

Click "Generate Hash" to create
Copied to clipboard!
SQL Update Query
UPDATE wp_users SET user_pass = 'HASH_HERE' WHERE user_login = 'username';

WordPress password hash generator guide

When you're locked out of your WordPress site or need to manually set a user's credentials in the database, a WordPress password hash generator gives you the exact hash string your installation expects — so the login works on the first try. WordPress does not store actual passwords in plain text; it stores a cryptographic hash, and submitting the wrong format means a permanently broken login. This tool removes that guesswork, whether you're managing a brand-new WordPress 6.8 site or maintaining a legacy installation from years ago. The wifi password generator explains the difference between WPA2-PSK and WPA3-SAE so you can choose the right security mode.

What This Free Online WordPress Password Hash Generator Does

What Is WordPress and What Is a phpass Password Hash?

WordPress is the world's most widely used open-source CMS (Content Management System), powering more than 40% of all websites. Because it handles user authentication for millions of sites, wordpress security is a central concern in its design. A core principle of that security model is that WordPress does not store actual passwords in its database — instead, every wordpress password stored as hash is a fixed-length cryptographic string written to the user_pass column.

A password hash is a fixed-length string produced by a one-way cryptographic hashing function. Given the same input password and the same algorithm, you always get the same hash — but you cannot reverse the hash back into the original password. This means that even if an attacker gains full read access to your MySQL database, they cannot immediately read user credentials. Understanding the wordpress password hash format is essential: phpass hashes (used in WordPress 3.x through 6.7) begin with $P$, while bcrypt hashes introduced in WordPress 6.8 begin with $wp$2y$.

Plain text password
The original password typed by the user, e.g. MyP@ssw0rd!. Never stored in the WordPress database.
Password hash
The encrypted output stored in the user_pass column of wp_users, e.g. $P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/.
Hashing algorithm
The mathematical function that converts a plain text password into a hash. WordPress has used phpass (MD5-based) historically and now uses bcrypt as of version 6.8.

What Is Password Hashing and Why Does It Matter for WordPress Security?

Password hashing is a form of server-side hashing that belongs to the broader discipline of web application security. Unlike symmetric encryption, a hash function is intentionally one-directional: you can verify a password by hashing the candidate and comparing it to the stored hash, but you cannot decrypt the stored hash. This design provides brute force protection — particularly when the algorithm is slow by design, as bcrypt is. The php password hashing functions (password_hash() and password_verify()) used in modern WordPress automatically add a random salt, making pre-computed rainbow-table attacks ineffective.

Understanding this process is essential for wordpress user management and database administration: when you need to reset a password outside the WordPress UI, you must supply a correctly formatted hash — not the plain text password — directly into the database.

Why This WordPress Password Hash Generator Tool Stands Apart

Most online hash utilities produce a single algorithm output with no version awareness. This wordpress md5 password hash generator and bcrypt tool is built specifically around WordPress's evolving password hashing algorithm history, which means the hash you copy is guaranteed to be accepted by the target installation without any manual adjustments. Understanding how to use wordpress password generator tools like this one is key to a successful wordpress database password reset without errors.

  • New password hashing system for WordPress 6.8 — Full support for the bcrypt-based wp_hash_password() introduced in WordPress 6.8, including the $wp prefix and SHA-384 pre-hashing step that prevents entropy loss on long passwords.
  • Previous versions supported — Generate a valid phpass hash for any WordPress 3.x, 4.x, 5.x, or 6.x (pre-6.8) site without installing PHP locally.
  • Complete security and relevance — Every hash is generated server-side with the correct salt and iteration count, so it passes WordPress's own wp_check_password() verification.
  • The most valid password hash — Selects the optimal algorithm automatically once you choose your WordPress version, removing any possibility of format mismatch.
  • Random password generation — Click the refresh icon to produce a cryptographically strong random password before hashing it, combining password security best practices with convenience.

Supported WordPress Versions — WordPress Admin Password Hash Generator Reference

The wordpress password hashing algorithm has changed significantly over the platform's lifetime. The table below maps each major release family to its hashing method so you know exactly what format to expect when you generate wordpress password hash online using this tool.

WordPress Version Hashing Algorithm Hash Prefix PHP Function
WordPress 3.x phpass (MD5-based, 28 = 256 MD5 passes) $P$B PasswordHash::HashPassword()
WordPress 4.x phpass (MD5-based) $P$B wp_hash_password() via phpass
WordPress 5.x phpass (MD5-based) $P$B wp_hash_password() via phpass
WordPress 6.x (pre-6.8) phpass (MD5-based) $P$B wp_hash_password() via phpass
WordPress 6.8+ bcrypt with SHA-384 pre-hash $wp$2y$ password_hash() via PASSWORD_BCRYPT

The shift to bcrypt in WordPress 6.8 is the most significant change to the wordpress password encryption method in the platform's history. Bcrypt is intentionally slow and computationally expensive, making it far more resistant to brute-force cracking than the MD5-based phpass approach. The new password hashing system also incorporates a SHA-384 HMAC step before the bcrypt call, ensuring that passwords longer than 72 bytes (bcrypt's input limit) don't silently lose entropy — a subtle vulnerability in naive bcrypt implementations.

  • phpass: Portable PHP password hashing framework. Used across supported wordpress versions 3.x through 6.7. Configurable to use Blowfish or extended DES instead of MD5, though MD5 is the WordPress default for backward compatibility.
  • bcrypt: Industry-standard algorithm recommended by the Password Hashing Competition alongside scrypt and Argon2. Supported natively in PHP via password_hash(). The only algorithm guaranteed to be available across all PHP installations, making it the right choice for wordpress site maintenance going forward.

WordPress hash generator instructions

How to Use This WordPress Database Password Hash Generator Step by Step

Hash Generation for Your Target WordPress Version

Generating a valid hash takes only a few seconds. Follow these steps to update wordpress password and produce a value ready to insert directly into your wordpress database to replace wordpress password hash in the user_pass column: The pin generator shows how many possible combinations exist for your chosen length so you can assess the risk.

  1. Enter your password: Type the new plain text password you want to assign, or click the refresh icon to automatically produce a strong random password using the built-in secure password generator.
  2. Select your WordPress version: Choose from WordPress 3.x, 4.x, 5.x, 6.x, or 6.8+ to ensure the correct hashing algorithm is applied. Choosing the wrong version produces a hash your site will reject.
  3. Generate the hash: Click the Generate Hash button. The tool calls the appropriate algorithm — phpass for legacy versions or bcrypt for WordPress 6.8+ — and returns the hash string instantly.
  4. Copy the hash: Use the copy icon or select the hash string manually. This value is your new user_pass for the target user in wp_users.

The internal logic mirrors WordPress's own wp_hash_password() function. For reference, the legacy phpass initialization looks like this:

$wp_hasher = new PasswordHash(8, TRUE);
$password_hashed = '$P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/';
$plain_password = 'test';

if ($wp_hasher->CheckPassword($plain_password, $password_hashed)) {
    echo "YES, Matched";
} else {
    echo "No, Wrong Password";
}

The PasswordHash constructor accepts a cost factor (here 8) and a portability flag. WordPress uses PasswordHash(8, TRUE) in its phpass implementation, producing the familiar $P$ hashes. The bcrypt path introduced in WordPress 6.8 bypasses PasswordHash entirely and calls PHP's native password_hash($password_to_hash, PASSWORD_BCRYPT, $options) after pre-hashing with SHA-384.

The mathematical cost of bcrypt is controlled by its work factor \(w\). The number of hash iterations is:

At the default cost factor of 10, bcrypt performs 210 = 1,024 internal rounds, making each hash attempt take ~100 ms on modern hardware — trivial for a legitimate login, but crippling for an attacker running millions of guesses. This is why cybersecurity professionals recommend bcrypt over faster algorithms for password encryption.

Updating the Password Hash in the WordPress Database

Once you have your hash, you need to write it into the wordpress database. The database modification process requires access to either phpMyAdmin or a MySQL command-line client.

Method 1 — SQL query via phpMyAdmin (recommended):

  1. Open phpMyAdmin and select your WordPress database.
  2. Click the SQL tab and run the following query, replacing YOUR-HASH with the hash you copied and USER-LOGIN with the exact username:
UPDATE `wp_users` SET `user_pass` = 'YOUR-HASH' WHERE `user_login` = 'USER-LOGIN';
  1. Click Go. phpMyAdmin will confirm that 1 row was affected.
  2. Log into WordPress with your new password to verify the change worked.

Method 2 — Direct row edit in phpMyAdmin:

  1. Navigate to the wp_users table (your table prefix may differ, e.g. mysite_users).
  2. Find the row for your user and click Edit.
  3. Locate the user_pass field, clear its current value, and paste your new hash.
  4. Click Go to save.

Resetting a Lost WordPress Password Using the WordPress Hash Generator

When to Reset a WordPress Password via Database

The standard WordPress password reset flow sends a reset link to the account's registered email address. However, there are scenarios in wordpress user management and database administration where that flow isn't available:

  • The admin email address is no longer accessible or was set incorrectly during migration.
  • WordPress's mail function is broken or not configured on the server.
  • You are setting up a staging or development copy of a site and need to update WordPress password in database without triggering live email notifications.
  • You need to change wordpress admin password via hash on a client site without going through the WordPress back-end.

In all these cases, using this wordpress password hash generator no login tool to generate a hash and then applying it via a SQL query is the fastest, most reliable solution to reset wordpress password via database — it requires no plugin, no FTP modification of core files, and no email access — just phpMyAdmin or equivalent MySQL database access. You can also reset wordpress password using hash across any release by selecting the matching version before generating.

Advanced Method — Editing wp-includes/pluggable.php Directly

An alternative sometimes referenced in older tutorials involves temporarily overriding the wp_hash_password() function in wp-includes/pluggable.php to accept a plain text value during a single login cycle. This approach is not recommended for several reasons:

  • Any modification to core WordPress files will be overwritten on the next automatic update.
  • A mistake in wp-includes/pluggable.php can break authentication site-wide.
  • The direct database method using a generated hash achieves the same result with far less risk.

Stick with the generate hash → update user_pass in wp_users workflow for safe, repeatable wordpress site maintenance.

Understanding bcrypt, phpass, and WordPress Password Encryption Methods

Bcrypt was designed by Niels Provos and David Mazières and published in 1999. Its defining feature is an adjustable cost factor that can be increased over time as hardware becomes more powerful, keeping it resistant to brute-force attacks for the foreseeable future. The bcrypt specifications PDF on GitHub and the reference C implementation of bcrypt both confirm that the algorithm's core Blowfish key schedule is what makes it slow — each hash requires running that schedule 2w times.

For comparison, the phpass wordpress phpass hashing algorithm uses multiple passes of MD5. While MD5 itself is not a password-hashing algorithm (it was designed for speed), phpass adds stretching and salt to make it more suitable for password security. The result is still weaker than bcrypt because MD5 can be computed extremely quickly on modern GPUs, enabling high-speed brute-force attempts even against salted hashes.

bcrypt
Blowfish-based adaptive hashing. Default in WordPress 6.8+. Work factor w = 10 by default (210 = 1,024 rounds). Hash format: $wp$2y$10$... in WordPress.
phpass
MD5-based portable PHP hashing. Default in WordPress 3.x–6.7. 256 MD5 passes (\(2^8\)). Hash format: $P$B....
Argon2
Winner of the Password Hashing Competition. Available via PASSWORD_ARGON2ID in PHP. Can be configured in WordPress 6.8+ via the wp_hash_password_algorithm filter, though bcrypt remains the guaranteed-available default.
scrypt
Memory-hard algorithm offering resistance against hardware-accelerated attacks. Referenced in Password Hashing: scrypt, bcrypt and Argon2 comparisons. Not natively available in PHP without an extension.

The WordPress 6.8 implementation is notable for its SHA-384 pre-hashing step. Because bcrypt truncates input at 72 bytes, a password longer than that would have its extra characters silently ignored under naive bcrypt — a vulnerability. WordPress addresses this with:

$password_to_hash = base64_encode(
    hash_hmac('sha384', trim($password), 'wp-sha384', true)
);
return '$wp' . password_hash($password_to_hash, PASSWORD_BCRYPT, $options);

The HMAC with the domain-separation key 'wp-sha384' compresses any-length password into a fixed 64-byte base64 string before bcrypt sees it, preserving full entropy. The $wp prefix distinguishes these hashes from vanilla bcrypt strings, allowing WordPress to identify and re-hash them if the algorithm changes again in a future release. This level of detail is why selecting the correct WordPress version in this wordpress password hash generator all versions tool matters — the hash format is not interchangeable across versions, which is also why this tool lets you target each major release individually using your wp password hash tool.