[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIm8tN0m2hiaz5_Tc6-RjT3yX9kE9LlBZSwvECEBKBPM":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":15,"requires_php":15,"tags":16,"homepage":15,"download_link":22,"security_score":23,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":28,"crawl_stats":25,"alternatives":35,"analysis":74,"fingerprints":97},"wp-hash-password","WP Hash Password","1.0.7","Ninos","https:\u002F\u002Fprofiles.wordpress.org\u002Fninos-ego\u002F","\u003Cp>This plugin replaces the pluggable wordpress function wp_hash_password() for a better security. The passwords are hashed with bcrypt. After activation the users should create new passwords.\u003C\u002Fp>\n","Requires at least: 3.2.1 Tested up to: 4.2 Stable tag: 1.0.7 Replaces the pluggable wordpress function wp_hash_password()",100,8550,5,"2015-04-26T17:17:00.000Z","",[17,18,19,20,21],"bcrypt","passwordhash","pluggable","wp_hasher","wp_hash_password","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-hash-password.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":29,"display_name":7,"profile_url":8,"plugin_count":30,"total_installs":31,"avg_security_score":23,"avg_patch_time_days":32,"trust_score":33,"computed_at":34},"ninos-ego",3,440,30,84,"2026-04-04T15:32:25.048Z",[36,54],{"slug":37,"name":38,"version":39,"author":40,"author_profile":41,"description":42,"short_description":43,"active_installs":44,"downloaded":45,"rating":11,"num_ratings":30,"last_updated":46,"tested_up_to":47,"requires_at_least":48,"requires_php":15,"tags":49,"homepage":52,"download_link":53,"security_score":23,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26},"password-bcrypt","Password bcrypt","1.0.3","Viktor Szépe","https:\u002F\u002Fprofiles.wordpress.org\u002Fszepeviktor\u002F","\u003Cp>wp-password-bcrypt is a WordPress plugin to replace WP’s outdated and insecure\u003Cbr \u002F>\nMD5-based password hashing with the modern and secure \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FBcrypt\" rel=\"nofollow ugc\">bcrypt\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>It is written by \u003Ca href=\"https:\u002F\u002Froots.io\u002Fplugins\u002Fbcrypt-password\u002F\" rel=\"nofollow ugc\">roots.io people\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>This plugin requires PHP >= 5.5.0 which introduced the built-in\u003Cbr \u002F>\n\u003Ca href=\"http:\u002F\u002Fphp.net\u002Fmanual\u002Fen\u002Ffunction.password-hash.php\" rel=\"nofollow ugc\">\u003Ccode>password_hash\u003C\u002Fcode>\u003C\u002Fa> and\u003Cbr \u002F>\n\u003Ca href=\"http:\u002F\u002Fphp.net\u002Fmanual\u002Fen\u002Ffunction.password-verify.php\" rel=\"nofollow ugc\">\u003Ccode>password_verify\u003C\u002Fcode>\u003C\u002Fa> functions.\u003C\u002Fp>\n\u003Cp>See \u003Ca href=\"https:\u002F\u002Froots.io\u002Fimproving-wordpress-password-security\u002F\" rel=\"nofollow ugc\">Improving WordPress Password Security\u003C\u002Fa>\u003Cbr \u002F>\nfor more background on this plugin and the password hashing issue.\u003C\u002Fp>\n","Replaces wp_hash_password and wp_check_password with PHP 5.5's password_hash and password_verify.",2000,30105,"2016-07-21T18:27:00.000Z","4.5.33","4.4",[17,50,51],"hash","password","https:\u002F\u002Froots.io","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpassword-bcrypt.1.0.3.zip",{"slug":55,"name":56,"version":57,"author":58,"author_profile":59,"description":60,"short_description":61,"active_installs":44,"downloaded":62,"rating":11,"num_ratings":63,"last_updated":64,"tested_up_to":65,"requires_at_least":66,"requires_php":67,"tags":68,"homepage":15,"download_link":72,"security_score":73,"vuln_count":24,"unpatched_count":24,"last_vuln_date":25,"fetched_at":26},"password-hash","PHP Native Password Hash","3.0","Ayesh Karunaratne","https:\u002F\u002Fprofiles.wordpress.org\u002Fayeshrajans\u002F","\u003Cp>This plugin swaps out WordPress core’s password hashing mechanism with PHP 5.5’s \u003Ccode>password_hash()\u003C\u002Fcode> and its accompanying functions. By default, PHP uses bcrypt to hash the passwords. If available, this plugin will use modern Argon2 algorithm. The transition will be transparent.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>A password salt will be generated using a Cryptographically Secure Pseudo-Random Number Generator (\u003Ccode>CSPRNG\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>Password hashes are safe from dictionary attacks with rainbow tables or any other precomputed hash lists, because a secure salt is generated for each password.\u003C\u002Fli>\n\u003Cli>The password hashing is iterated multiple times to provide a good resistance against brute-force attacks.\u003C\u002Fli>\n\u003Cli>Password checks are made in a way that it mitigates time-attacks.\u003C\u002Fli>\n\u003Cli>You do not have to reset passwords of all users. Passwords already hashed in the database will be rehashed automatically and transparently the next time the user logs in.\u003C\u002Fli>\n\u003Cli>PHP might come up with newer password hashing algorithms, and they will be automatically supported without having to reset all the passwords.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin was made initially because one of our applications used WordPress for authentication, but we needed to use an external system\u003Cbr \u002F>\nto verify the passwords directly from the database too. Since WordPress has its own password hashing algorithm, we decided to make this plugin to address that problem.\u003Cbr \u002F>\nWith this plugin, passwords generated by both WordPress and other custom applications now use the PHP’s default \u003Ccode>password_hash()\u003C\u002Fcode> functions without compromising any of the applications’ security.\u003C\u002Fp>\n\u003Cp>This plugin is designed to be as minimal and fast as possible, and can be considered a must-use for EVERY WordPress application given the minimal footprint of this plugin, and considering the importance of using a secure hashing algorithm for passwords.\u003C\u002Fp>\n","Makes WordPress use PHP's native password_hash() functions for portable, stronger, and time-attack safe bcrypt and Argon2 hashes.",23029,6,"2024-06-10T16:52:00.000Z","6.5.8","5.2","7.0",[69,17,51,70,71],"argon2","password-hashing","password_hash","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpassword-hash.3.0.zip",92,{"attackSurface":75,"codeSignals":81,"taintFlows":88,"riskAssessment":89,"analyzedAt":96},{"hooks":76,"ajaxHandlers":77,"restRoutes":78,"shortcodes":79,"cronEvents":80,"entryPointCount":24,"unprotectedCount":24},[],[],[],[],[],{"dangerousFunctions":82,"sqlUsage":83,"outputEscaping":85,"fileOperations":24,"externalRequests":24,"nonceChecks":24,"capabilityChecks":24,"bundledLibraries":87},[],{"prepared":24,"raw":24,"locations":84},[],{"escaped":24,"rawEcho":24,"locations":86},[],[],[],{"summary":90,"deductions":91},"The \"wp-hash-password\" plugin v1.0.7 exhibits an excellent security posture based on the provided static analysis and vulnerability history.  The absence of any identified attack surface entry points, dangerous functions, direct SQL queries, unsanitized output, or file operations is a significant strength.  This indicates the plugin was likely developed with security best practices in mind, focusing on a minimal and secure implementation. The lack of any recorded vulnerabilities or CVEs further reinforces this positive assessment, suggesting a history of responsible development and maintenance.\n\nWhile the analysis shows no specific code-level weaknesses, it's important to note that the provided data indicates zero nonces and capability checks. In a plugin with any user-facing interaction or administrative functionality, these would typically be expected. However, given the reported zero attack surface and lack of other concerning code signals, it's plausible that this plugin's functionality does not necessitate these checks. The complete absence of taint flows with unsanitized paths is also a strong indicator of secure code.\n\nIn conclusion, the \"wp-hash-password\" plugin v1.0.7 appears to be a highly secure component. Its strengths lie in its extremely small attack surface, absence of risky code patterns, and clean vulnerability history. The only potential area for slight concern, which is mitigated by other data points, is the apparent lack of nonce and capability checks, though this is likely due to its minimal functionality.",[92,94],{"reason":93,"points":13},"Missing nonce checks",{"reason":95,"points":13},"Missing capability checks","2026-03-16T20:39:05.252Z",{"wat":98,"direct":105},{"assetPaths":99,"generatorPatterns":101,"scriptPaths":102,"versionParams":103},[100],"\u002Fwp-content\u002Fplugins\u002Fwp-hash-password\u002Fwp-hash-password.php",[],[],[104],"wp-hash-password\u002Fwp-hash-password.php?ver=",{"cssClasses":106,"htmlComments":107,"htmlAttributes":108,"restEndpoints":109,"jsGlobals":110,"shortcodeOutput":111},[],[],[],[],[],[]]