Why does my WordPress hash look different each time?

WordPress uses a random salt for each hash, so the same password produces different hashes. This is a security feature that prevents rainbow table attacks. All generated hashes for the same password will validate correctly when you log in.

Is WordPress password hashing secure?

WordPress's phpass provides reasonable security with 8192 iterations of MD5. However, it's weaker than modern bcrypt or Argon2. For maximum security, use strong passwords (16+ characters) and consider plugins that add bcrypt support to WordPress.

Can I use MD5 hashes in WordPress?

WordPress accepts plain MD5 for backward compatibility and will automatically upgrade to phpass on the next successful login. However, plain MD5 is extremely vulnerable—never use it. Always use the phpass format ($P$) generated by proper tools.

What does the $P$ prefix mean in WordPress hashes?

The $P$ prefix identifies a phpass portable hash. The character after $P$ indicates the cost parameter (number of iterations). 'B' means 2^13 = 8192 iterations. The next 8 characters are the salt, followed by the actual hash value.

Generate WordPress Password Hashes — Free phpass Hash Creator

Generate WordPress-compatible phpass password hashes for database operations. Reset locked-out admin accounts via phpMyAdmin. Uses the same $P$ algorithm as WordPress core. For new projects, consider bcrypt plugins instead.

When to Use This Tool

Use this when you need to manually update a password in the WordPress database (wp_users table), reset a locked-out admin account, or migrate users. Always test password strength before hashing.

Password to Hash

WordPress Password Hash

Click "Generate Hash" to create

Copied to clipboard!

SQL Update Query

UPDATE wp_users SET user_pass = 'HASH_HERE' WHERE user_login = 'username';

Generate Strong Password Test Password Strength

How to Reset WordPress Password via Database

Step-by-step guide for updating passwords directly in the database.

Generate a Strong Password

First, create a secure password that's at least 12 characters with mixed character types. Test its strength to ensure adequate security.

Generate the WordPress Hash

Enter your new password in the tool above and click "Generate WordPress Hash". The hash will start with $P$ which indicates the phpass portable hash format.

Access phpMyAdmin or Database

Log into your hosting control panel (cPanel, Plesk, etc.) and open phpMyAdmin. Select your WordPress database from the left sidebar.

Update the Password

Navigate to the wp_users table, find your user, click Edit, and paste the generated hash into the user_pass field. Or run the SQL query provided above.

Log In with New Password

Go to your WordPress login page and sign in with your username and the new plain-text password (not the hash). Store the password securely in a password manager.

Understanding WordPress Password Hashes

WordPress uses the phpass (Portable PHP Password Hashing) framework.

$P$BeHQtJJJrqou8x9sDPIAc3.u0wqI4H5fJMClPQLVPpmosCjHadDo/

$P$ — Identifies this as a phpass portable hash

B — Cost parameter (encodes iteration count: 2^13 = 8192 iterations)

eHQtJJJrqou8x9 — 8-character salt (64 bits)

sDPIAc3.u0wqI4H5fJMClPQLVPpmosCjHadDo/ — Actual hash value (MD5-based)

Security Note: WordPress's phpass is more secure than plain MD5 but less secure than bcrypt. For new projects, consider plugins that add bcrypt support to WordPress.

WordPress phpass vs Modern Hashing

Understanding WordPress's security tradeoffs.

WordPress phpass

Default since WP 2.5

→ 8,192 iterations of MD5
→ 64-bit random salt
→ GPU cracking: ~2B hashes/sec
→ Backward compatible with older WP

8-char password: Crackable in ~hours

16-char random: Secure (centuries)

bcrypt

Modern standard

✓ Configurable cost (2¹² = 4,096+ iterations)
✓ 128-bit random salt
✓ GPU cracking: ~184K hashes/sec
✓ Requires plugin for WordPress

8-char password: Years to crack

16-char random: Virtually uncrackable

When to Use Database Password Reset

Choose the right method for your situation.

✓ Use This Tool When

→ You're locked out of admin and forgot password
→ Password reset emails aren't working
→ Migrating users from another system
→ Emergency access recovery
→ Bulk password changes via script

! Use Normal Reset Instead

→ Email reset works normally
→ You have admin access to change passwords
→ Users are changing their own passwords
→ WP-CLI is available (wp user update)
→ Security plugins can reset passwords

Frequently Asked Questions

Free Password Strength Tester

Previous Tool

Bcrypt Generator

WordPress Password Security Guide

Managing WordPress passwords securely is crucial for site administrators. Our WordPress password hash generator helps when you need database-level password operations, but understanding the broader security context ensures you make the right choices.

When You Need Database Password Reset

Several situations require direct database access: locked out of admin with no email recovery configured, compromised account needing immediate password change, migrating users from another system, or automated deployment scripts. In all cases, generate a strong password first and test its strength.

WordPress Password Storage Evolution

WordPress originally used plain MD5 hashes—extremely insecure by today's standards. Version 2.5 introduced phpass, a significant improvement that adds salting and iteration. While not as robust as bcrypt, phpass provides reasonable protection when combined with strong passwords.

WordPress maintains backward compatibility with MD5 hashes—if detected, it automatically upgrades to phpass on next login. Never manually insert MD5 hashes; always use the phpass format from this tool to ensure proper security.

Enhancing WordPress Security

Beyond password hashing, protect your WordPress installation with two-factor authentication plugins, limit login attempts, use security plugins like Wordfence or Sucuri, keep WordPress and plugins updated, and enforce password policies for all users. Consider plugins that upgrade WordPress to use bcrypt for even stronger protection.

For multisite installations or sites with sensitive data, evaluate whether WordPress's default hashing meets your security requirements. Enterprise environments might benefit from dedicated security audits and potentially custom authentication solutions using stronger algorithms like those from our bcrypt generator.