Sunsetting wp-password-bcrypt with WordPress 6.8
Ben Word
on
With the upcoming release of WordPress 6.8, bcrypt will officially become the default password hashing method in core (WordPress 6.8 will use bcrypt for password hashing). This is a big improvement for WordPress authentication, and it renders our wp-password-bcrypt
package unnecessary moving forward.
What this means
If your site is running WordPress 6.8 or later, you no longer need wp-password-bcrypt
. You can safely remove the package, and all existing passwords will continue to work without any migration steps required. WordPress core will seamlessly handle authentication using bcrypt where applicable.
To reflect this change, we will be:
- Marking
wp-password-bcrypt
as abandoned on Packagist - Removing references to it from Bedrock and related documentation
- Archiving the GitHub repository
Thank you
We originally introduced wp-password-bcrypt
to bring better password security to WordPress sites before core had strong hashing in place. Now that bcrypt is part of WordPress itself, we’re excited to see this improvement adopted widely without the need for additional plugins or packages.
Thanks to everyone who supported and used wp-password-bcrypt
over the years. This is a great step forward for WordPress security, and we’re happy to see it become the new standard!