How WordPress 6.8 Will Strengthen Password Security and Hashing

How WordPress 6.8 Will Strengthen Security

Set for release in April 2025, WordPress 6.8 introduces major improvements to password hashing and authentication mechanisms. These enhancements significantly strengthen security and make password cracking much more difficult for attackers.

In this article, we’ll explore:

• The importance of strong password security
• How password hashing protects user credentials
• What’s changing in WordPress 6.8 and how it improves security

Let’s dive into the upcoming enhancements and why they matter for WordPress users and developers.

Why Password Security Matters

Every year, millions of passwords are exposed in data breaches, putting websites and user accounts at risk. Weak or compromised credentials are among the most common attack vectors, allowing hackers to gain unauthorized access. WordPress websites, like any online platform, are not immune.

A strong password policy isn’t just a recommendation, it’s a necessity. Attackers use automated tools to guess passwords, exploit leaked credential databases, and bypass weak security measures. Without proper protection, even complex passwords can be cracked using brute-force attacks or stolen from compromised databases.

The business impact of poor password security can be severe. A compromised WordPress site can lead to financial losses, reputational damage, and legal consequences. When customer data is exposed, trust erodes, leading to decreased traffic, lower conversions, and lasting harm to brand credibility. Strong password security isn’t just about safeguarding user accounts—it’s a critical investment in business stability and long-term trust.

Understanding Password Threats

Password strength depends on context and the level of threat. A strong password should be difficult to guess and resistant to modern cracking techniques. As the availability of easy-to-use exploit tools ever increases, password security practices must evolve too.

Attackers typically break passwords in two ways:

Brute Force and Credential-Based Attacks

Attackers often attempt to break passwords through brute force. This method involves systematically guessing login credentials. However, WordPress limits login attempts, making brute-force attacks less effective. Instead, attackers rely on phishing, malware, or leaked credentials to gain access. Weak passwords, especially those based on public information like names or birthdates, are easier to crack, increasing the risk of unauthorized access.

Compromised Password Databases

A more serious threat occurs when attackers gain access to a site’s password database. Even though passwords are stored as hashes, weak hashing methods allow attackers to reverse them much more easily. In extreme cases, poorly configured sites store passwords in plaintext, making them readable. When password storage is weak, even strong passwords offer little protection.

How WordPress 6.8 Will Strengthen Password Security and Hashing

WordPress built-in authentication mechanisms lack native rate limiting, making brute-force attacks easier to execute. Users had to rely on third-party plugins to add login attempt restrictions and to apply more advanced hashing algorithms for stored passwords.

WordPress 6.8 is set to introduce key security improvements, particularly in native password hashing and authentication mechanisms. These updates will enhance user protection against brute-force attacks, data breaches, and outdated encryption methods.

About Password Hashing

Password hashing converts plaintext passwords into an encrypted value. Instead of storing plain text passwords in the database, WordPress hashes them, ensuring that even if an attacker gains access, they can’t see the actual passwords.

When you log in, WordPress hashes the password you submitted and compares it with the stored hashed value. If they match, access is granted. This method works because the same password always produces the same hash, but the hash itself cannot be reversed to reveal the original password.

Here’s how WordPress 6.8 will strengthen password security and hashing.

Stronger Password-Hashing Mechanisms

WordPress 6.8 will introduce bcrypt for password hashing, an industry-standard cryptographic algorithm. Bcrypt is significantly more secure than other hashing methods because it includes a built-in cost factor, making it computationally expensive for attackers to guess passwords.

Additionally, authentication and security-related keys will use BLAKE2b, a cryptographically secure and fast hashing algorithm. This ensures that sensitive authentication data is well-protected.

By default, the WordPress functions wp_hash_password() and wp_check_password() will use PHP’s native password_hash() and password_verify() to handle password encryption. Developers who need even stronger hashing can opt-in to Argon2 if their server supports it:

add_filter( 'wp_hash_password_algorithm', fn() => PASSWORD_ARGON2ID );

With these changes, WordPress is set to follow modern security best practices, providing stronger protection for user credentials out of the box.

Frequently Asked Questions

Do I need to take any action to enable these security improvements?

No action is required. After updating to WordPress 6.8, exiting user passwords will be automatically updated using bcrypt and BLAKE2b upon user login. However, if your server supports it, developers can opt for Argon2 for even stronger encryption.

What is bcrypt, and why is it better for password hashing?

Bcrypt is a secure password hashing algorithm that improves protection against brute-force attacks by making password hashes even more difficult to decipher.

What happens to passwords stored before WordPress 6.8?

Existing passwords remain functional. However, when a user logs in or resets their password, WordPress automatically rehashes it using bcrypt, ensuring stronger security going forward.

Can I still use third-party security plugins for extra protection?

Yes, while WordPress 6.8 strengthens default security, third-party plugins can add extra layers of protection, such as two-factor authentication (2FA), login monitoring, and protection against various attack vectors.

Does this update affect performance?

No, bcrypt is optimized for best-practice security without impacting performance. The cost factor can be adjusted based on server capabilities to balance security and efficiency.

How can I ensure my site is using the latest security features?

Once WordPress 6.8 is released, update to the latest version to benefit from these security improvements. Enabling two-factor authentication and keeping your website updated will further strengthen security.

Conclusion

WordPress 6.8 is set to bring a major leap forward in password security, strengthening protection against modern threats. With bcrypt for password hashing and BLAKE2b for authentication keys, WordPress aligns with industry best practices in cryptographic security. These enhancements make brute-force attacks significantly harder and improve overall credential safety.

Additionally, automatic rehashing ensures that older passwords are upgraded to use stronger encryption without any action required from users. By integrating these security improvements at the core level, WordPress reduces reliance on third-party security plugins, offering better default protection for websites and user accounts.

As security threats evolve, staying ahead of the game is crucial. It’s important to be conscious of using best-practice security measures to keep your site and users safe. Pressidium’s managed hosting combines the latest security advancements with optimized performance and reliability, ensuring robust protection.