Skip to content
Roots
  • Home page
  1. Blog

Sunsetting wp-password-bcrypt with WordPress 6.8

Ben Word Ben Word on

With the upcoming release of WordPress 6.8, bcrypt will officially become the default password hashing method in core (WordPress 6.8 will use bcrypt for password hashing). This is a big improvement for WordPress authentication, and it renders our wp-password-bcrypt package unnecessary moving forward.

What this means

If your site is running WordPress 6.8 or later, you no longer need wp-password-bcrypt. You can safely remove the package, and all existing passwords will continue to work without any migration steps required. WordPress core will seamlessly handle authentication using bcrypt where applicable.

To reflect this change, we will be:

  • Marking wp-password-bcrypt as abandoned on Packagist
  • Removing references to it from Bedrock and related documentation
  • Archiving the GitHub repository

Thank you

We originally introduced wp-password-bcrypt to bring better password security to WordPress sites before core had strong hashing in place. Now that bcrypt is part of WordPress itself, we’re excited to see this improvement adopted widely without the need for additional plugins or packages.

Thanks to everyone who supported and used wp-password-bcrypt over the years. This is a great step forward for WordPress security, and we’re happy to see it become the new standard!

Discuss this post on Roots Discourse

About the author

Ben Word

Ben Word has been creating WordPress sites since 2004. He loves dogs, climbing, and yoga, and is passionate about helping people build awesome things on the web.

Subscribe for updates

Join over 8,000 subscribers on our newsletter to get the latest Roots updates and tips on building better WordPress sites

Looking for WordPress plugin recommendations, the newest modern WordPress projects, and general web development tips and articles?

One last step! Check your email for a verification link.