function wp_check_password($password, $hash, $user_id = '') {}

Checks the plaintext password against the encrypted Password.
Maintains compatibility between old version and the new cookie authentication protocol using PHPass library. The $hash parameter is the encrypted password and the function compares the plain text password when encrypted similarly against the already encrypted password to see if they match.


  • string $password: Plaintext user’s password
  • string $hash: Hash of the user’s password to check against.
  • $user_id

Return values

returns:False, if the $password does not match the hashed password

Defined filters

  • check_password
    apply_filters('check_password', $check, $password, $hash, $user_id)
  • check_password
    apply_filters('check_password', $check, $password, $hash, $user_id)

Source code

function wp_check_password($password, $hash, $user_id = '') {

	global $wp_hasher;

	// If the hash is still md5...

	if ( strlen($hash) <= 32 ) {

		$check = ( $hash == md5($password) );

		if ( $check && $user_id ) {

			// Rehash using new hash.

			wp_set_password($password, $user_id);

			$hash = wp_hash_password($password);


		return apply_filters('check_password', $check, $password, $hash, $user_id);


	// If the stored hash is longer than an MD5, presume the

	// new style phpass portable hash.

	if ( empty($wp_hasher) ) {

		require_once( ABSPATH . 'wp-includes/class-phpass.php');

		// By default, use the portable hash from phpass

		$wp_hasher = new PasswordHash(8, TRUE);


	$check = $wp_hasher->CheckPassword($password, $hash);

	return apply_filters('check_password', $check, $password, $hash, $user_id);



No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: