[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJ0n8c0GB6PbJUaxSt7Y7tOAurnVhLIgaKdy5Pn9jhgo":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":37,"analysis":128,"fingerprints":151},"password-bcrypt","Password bcrypt","1.0.3","Viktor Szépe","https:\u002F\u002Fprofiles.wordpress.org\u002Fszepeviktor\u002F","\u003Cp>wp-password-bcrypt is a WordPress plugin to replace WP’s outdated and insecure\u003Cbr \u002F>\nMD5-based password hashing with the modern and secure \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FBcrypt\" rel=\"nofollow ugc\">bcrypt\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>It is written by \u003Ca href=\"https:\u002F\u002Froots.io\u002Fplugins\u002Fbcrypt-password\u002F\" rel=\"nofollow ugc\">roots.io people\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>This plugin requires PHP >= 5.5.0 which introduced the built-in\u003Cbr \u002F>\n\u003Ca href=\"http:\u002F\u002Fphp.net\u002Fmanual\u002Fen\u002Ffunction.password-hash.php\" rel=\"nofollow ugc\">\u003Ccode>password_hash\u003C\u002Fcode>\u003C\u002Fa> and\u003Cbr \u002F>\n\u003Ca href=\"http:\u002F\u002Fphp.net\u002Fmanual\u002Fen\u002Ffunction.password-verify.php\" rel=\"nofollow ugc\">\u003Ccode>password_verify\u003C\u002Fcode>\u003C\u002Fa> functions.\u003C\u002Fp>\n\u003Cp>See \u003Ca href=\"https:\u002F\u002Froots.io\u002Fimproving-wordpress-password-security\u002F\" rel=\"nofollow ugc\">Improving WordPress Password Security\u003C\u002Fa>\u003Cbr \u002F>\nfor more background on this plugin and the password hashing issue.\u003C\u002Fp>\n","Replaces wp_hash_password and wp_check_password with PHP 5.5's password_hash and password_verify.",2000,30105,100,3,"2016-07-21T18:27:00.000Z","4.5.33","4.4","",[20,21,22],"bcrypt","hash","password","https:\u002F\u002Froots.io","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpassword-bcrypt.1.0.3.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":33,"avg_security_score":25,"avg_patch_time_days":34,"trust_score":35,"computed_at":36},"szepeviktor",8,4090,30,84,"2026-04-04T04:17:29.177Z",[38,58,75,94,110],{"slug":39,"name":40,"version":41,"author":42,"author_profile":43,"description":44,"short_description":45,"active_installs":11,"downloaded":46,"rating":13,"num_ratings":47,"last_updated":48,"tested_up_to":49,"requires_at_least":50,"requires_php":51,"tags":52,"homepage":18,"download_link":56,"security_score":57,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"password-hash","PHP Native Password Hash","3.0","Ayesh Karunaratne","https:\u002F\u002Fprofiles.wordpress.org\u002Fayeshrajans\u002F","\u003Cp>This plugin swaps out WordPress core’s password hashing mechanism with PHP 5.5’s \u003Ccode>password_hash()\u003C\u002Fcode> and its accompanying functions. By default, PHP uses bcrypt to hash the passwords. If available, this plugin will use modern Argon2 algorithm. The transition will be transparent.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>A password salt will be generated using a Cryptographically Secure Pseudo-Random Number Generator (\u003Ccode>CSPRNG\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>Password hashes are safe from dictionary attacks with rainbow tables or any other precomputed hash lists, because a secure salt is generated for each password.\u003C\u002Fli>\n\u003Cli>The password hashing is iterated multiple times to provide a good resistance against brute-force attacks.\u003C\u002Fli>\n\u003Cli>Password checks are made in a way that it mitigates time-attacks.\u003C\u002Fli>\n\u003Cli>You do not have to reset passwords of all users. Passwords already hashed in the database will be rehashed automatically and transparently the next time the user logs in.\u003C\u002Fli>\n\u003Cli>PHP might come up with newer password hashing algorithms, and they will be automatically supported without having to reset all the passwords.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin was made initially because one of our applications used WordPress for authentication, but we needed to use an external system\u003Cbr \u002F>\nto verify the passwords directly from the database too. Since WordPress has its own password hashing algorithm, we decided to make this plugin to address that problem.\u003Cbr \u002F>\nWith this plugin, passwords generated by both WordPress and other custom applications now use the PHP’s default \u003Ccode>password_hash()\u003C\u002Fcode> functions without compromising any of the applications’ security.\u003C\u002Fp>\n\u003Cp>This plugin is designed to be as minimal and fast as possible, and can be considered a must-use for EVERY WordPress application given the minimal footprint of this plugin, and considering the importance of using a secure hashing algorithm for passwords.\u003C\u002Fp>\n","Makes WordPress use PHP's native password_hash() functions for portable, stronger, and time-attack safe bcrypt and Argon2 hashes.",23029,6,"2024-06-10T16:52:00.000Z","6.5.8","5.2","7.0",[53,20,22,54,55],"argon2","password-hashing","password_hash","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpassword-hash.3.0.zip",92,{"slug":59,"name":60,"version":61,"author":62,"author_profile":63,"description":64,"short_description":65,"active_installs":13,"downloaded":66,"rating":13,"num_ratings":67,"last_updated":68,"tested_up_to":18,"requires_at_least":18,"requires_php":18,"tags":69,"homepage":18,"download_link":74,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"wp-hash-password","WP Hash Password","1.0.7","Ninos","https:\u002F\u002Fprofiles.wordpress.org\u002Fninos-ego\u002F","\u003Cp>This plugin replaces the pluggable wordpress function wp_hash_password() for a better security. The passwords are hashed with bcrypt. After activation the users should create new passwords.\u003C\u002Fp>\n","Requires at least: 3.2.1 Tested up to: 4.2 Stable tag: 1.0.7 Replaces the pluggable wordpress function wp_hash_password()",8550,5,"2015-04-26T17:17:00.000Z",[20,70,71,72,73],"passwordhash","pluggable","wp_hasher","wp_hash_password","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-hash-password.zip",{"slug":76,"name":77,"version":78,"author":79,"author_profile":80,"description":81,"short_description":82,"active_installs":83,"downloaded":84,"rating":26,"num_ratings":26,"last_updated":85,"tested_up_to":86,"requires_at_least":87,"requires_php":18,"tags":88,"homepage":92,"download_link":93,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"ballast-security-securing-hashing","Ballast Security Hashing","1.2.1","BallastSecurity","https:\u002F\u002Fprofiles.wordpress.org\u002Fballastsecurity\u002F","\u003Cp>This plugin seamlessly changes your stored password hash to a far stronger one. The hash that it is changed to is\u003Cbr \u002F>\ngenerated with a variety of variations on PBKDF2, including my own ARC4PBKDF2 which adds custom ARC4 encryption\u003Cbr \u002F>\nduring the hashing processs, then a SHA-1 to meet size constraints. This plugin exponentially increases the strength\u003Cbr \u002F>\nof your stored password.\u003C\u002Fp>\n\u003Ch3>Arbitrary section\u003C\u002Fh3>\n","This plugin drastically increases the security of the hash used to store passwords",10,2651,"2012-09-06T22:17:00.000Z","3.4.2","2.0.2",[89,21,22,90,91],"ballast-security","pbkdf2","security","http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fballast-security-securing-hashing\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fballast-security-securing-hashing.zip",{"slug":95,"name":96,"version":97,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":83,"downloaded":102,"rating":26,"num_ratings":26,"last_updated":18,"tested_up_to":103,"requires_at_least":41,"requires_php":104,"tags":105,"homepage":18,"download_link":108,"security_score":13,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":109},"wp-argon2-password-hashing","WP Argon2 Password Hashing","1.0.0","mfsoftworks","https:\u002F\u002Fprofiles.wordpress.org\u002Fmfsoftworks\u002F","\u003Cp>Existing user accounts will have their password hash updated with Argon2i on the next successful sign in.\u003C\u002Fp>\n","Existing user accounts will have their password hash updated with Argon2i on the next successful sign in.",1636,"4.9.29","7.2",[106,21,107,22,91],"argon","hashing","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-argon2-password-hashing.zip","2026-03-15T10:48:56.248Z",{"slug":111,"name":112,"version":113,"author":114,"author_profile":115,"description":116,"short_description":117,"active_installs":83,"downloaded":118,"rating":13,"num_ratings":119,"last_updated":120,"tested_up_to":121,"requires_at_least":122,"requires_php":18,"tags":123,"homepage":126,"download_link":127,"security_score":25,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"wpcrypt","WpCrypt","0.1","bruno.sousa","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrunosousa-1\u002F","\u003Cp>Allow users to change password encryption method to SHA1, SHA2, AES Rijndael and more…\u003C\u002Fp>\n","Allow users to change password encryption method to SHA1, SHA2, AES Rijndael and more...",2587,1,"2015-04-16T03:22:00.000Z","3.5.2","3.3",[124,21,125,22,91],"encryption","hashes","http:\u002F\u002Femancipa.net","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpcrypt.zip",{"attackSurface":129,"codeSignals":135,"taintFlows":142,"riskAssessment":143,"analyzedAt":150},{"hooks":130,"ajaxHandlers":131,"restRoutes":132,"shortcodes":133,"cronEvents":134,"entryPointCount":26,"unprotectedCount":26},[],[],[],[],[],{"dangerousFunctions":136,"sqlUsage":137,"outputEscaping":139,"fileOperations":26,"externalRequests":26,"nonceChecks":26,"capabilityChecks":26,"bundledLibraries":141},[],{"prepared":26,"raw":26,"locations":138},[],{"escaped":26,"rawEcho":26,"locations":140},[],[],[],{"summary":144,"deductions":145},"Based on the static analysis, the 'password-bcrypt' plugin v1.0.3 exhibits a very strong security posture.  The absence of any identified dangerous functions, SQL queries without prepared statements, unescaped output, file operations, external HTTP requests, or taint flows suggests robust coding practices regarding data handling and security.\n\nThe plugin also has no recorded vulnerabilities, CVEs, or even a history of past issues. This lack of historical problems, combined with the clean static analysis, indicates a well-maintained and secure codebase.  However, the complete absence of any attack surface entry points (AJAX, REST API, shortcodes, cron) and the lack of nonce or capability checks, while seemingly positive in that there are no *unprotected* points, also means there are no explicitly secured points either. This can be interpreted as the plugin not requiring any interaction that would necessitate these security measures, or potentially an oversight if future functionality were to be added without proper security considerations.\n\nIn conclusion, the plugin currently presents a very low security risk due to its clean code and lack of vulnerability history. The primary area for potential, albeit minor, concern is the complete lack of an attack surface, which could imply a lack of integration or a potential gap if its scope were to expand. Nonetheless, for its current state, it is highly secure.",[146,148],{"reason":147,"points":67},"No Nonce Checks",{"reason":149,"points":67},"No Capability Checks","2026-03-16T18:38:29.448Z",{"wat":152,"direct":157},{"assetPaths":153,"generatorPatterns":154,"scriptPaths":155,"versionParams":156},[],[],[],[],{"cssClasses":158,"htmlComments":159,"htmlAttributes":160,"restEndpoints":161,"jsGlobals":162,"shortcodeOutput":163},[],[],[],[],[],[]]