You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Joomla and WordPress: A Tale of Two Password Security Philosophies
Joomla and WordPress, two of the most popular content management systems, take distinct approaches to securing user passwords. While both have evolved their methods over time, the core difference lies in their historical and current choices of cryptographic hashing algorithms. Joomla has embraced the modern and robust bcrypt algorithm, while WordPress is in the midst of a transition from its long-standing PHPass framework to bcrypt.
Joomla's Straightforward bcrypt Implementation
Joomla utilizes a straightforward implementation of the bcrypt password hashing algorithm. When a user creates or updates their password, Joomla uses a dedicated BCryptHandler to generate a secure hash of the password. This process involves combining the password with a randomly generated salt and then running it through the computationally intensive bcrypt algorithm. The resulting hash, which includes the salt and the cost factor (a measure of the computational difficulty), is then stored in the database.
The key advantages of Joomla's approach are:
Strong Security: Bcrypt is widely considered a secure and modern password hashing algorithm. It is specifically designed to be slow, making brute-force attacks that attempt to guess passwords by trying billions of combinations computationally expensive and time-consuming for attackers.
Automatic Salting: The bcrypt algorithm inherently handles the generation of a unique salt for each password, a crucial defense against rainbow table attacks (pre-computed tables of password hashes).
WordPress's Transition from PHPass to a Customized bcrypt
For many years, WordPress relied on the PHPass portable hashing framework. While PHPass was a significant improvement over older methods like storing plain MD5 hashes, it is a more flexible and, in some configurations, a less secure framework than a direct bcrypt implementation. The security of PHPass depends on the underlying hashing algorithms available on the server, which could include MD5.
Recognizing the need for a more modern and consistently strong approach, WordPress is transitioning to bcrypt for user password hashing. As of 2025, this transition is a key security enhancement in recent versions. However, WordPress's implementation of bcrypt has a unique characteristic:
SHA-384 Pre-hashing: To address bcrypt's limitation of a 72-byte maximum password length, WordPress first hashes the password using the SHA-384 algorithm. The resulting hash is then passed to the bcrypt function. This allows for the use of longer passwords without truncation. To differentiate these hashes from standard bcrypt hashes, WordPress prepends them with a $wp$ prefix.
Backward Compatibility: To ensure a smooth transition and that existing users can still log in, WordPress continues to support the verification of passwords hashed with the older PHPass framework. When a user with an old password hash logs in successfully, WordPress automatically rehashes their password using the new bcrypt method.
Key Differences at a Glance
Feature
Joomla
WordPress (Modern Versions)
Hashing Algorithm
bcrypt
bcrypt with SHA-384 pre-hashing
Salting
Handled automatically by bcrypt
Handled automatically by bcrypt
Legacy Support
Not applicable (has been using a modern approach)
Maintains support for older PHPass hashes
Password Length
Subject to bcrypt's 72-byte limit
Supports longer passwords due to SHA-384 pre-hashing
In essence, Joomla has been leveraging the strong, direct implementation of bcrypt for some time. WordPress, with its massive user base and commitment to backward compatibility, has undertaken a more gradual but ultimately significant upgrade to a customized and more secure bcrypt-based system. Both platforms are now converging on modern, industry-standard password hashing practices, which is a positive development for the security of the web as a whole.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Here is an AI summary of the issues around - #27
Joomla and WordPress: A Tale of Two Password Security Philosophies
Joomla and WordPress, two of the most popular content management systems, take distinct approaches to securing user passwords. While both have evolved their methods over time, the core difference lies in their historical and current choices of cryptographic hashing algorithms. Joomla has embraced the modern and robust bcrypt algorithm, while WordPress is in the midst of a transition from its long-standing PHPass framework to bcrypt.
Joomla's Straightforward bcrypt Implementation
Joomla utilizes a straightforward implementation of the bcrypt password hashing algorithm. When a user creates or updates their password, Joomla uses a dedicated
BCryptHandlerto generate a secure hash of the password. This process involves combining the password with a randomly generated salt and then running it through the computationally intensive bcrypt algorithm. The resulting hash, which includes the salt and the cost factor (a measure of the computational difficulty), is then stored in the database.The key advantages of Joomla's approach are:
WordPress's Transition from PHPass to a Customized bcrypt
For many years, WordPress relied on the PHPass portable hashing framework. While PHPass was a significant improvement over older methods like storing plain MD5 hashes, it is a more flexible and, in some configurations, a less secure framework than a direct bcrypt implementation. The security of PHPass depends on the underlying hashing algorithms available on the server, which could include MD5.
Recognizing the need for a more modern and consistently strong approach, WordPress is transitioning to bcrypt for user password hashing. As of 2025, this transition is a key security enhancement in recent versions. However, WordPress's implementation of bcrypt has a unique characteristic:
$wp$prefix.Key Differences at a Glance
bcryptbcryptwith SHA-384 pre-hashingbcryptbcryptbcrypt's 72-byte limitIn essence, Joomla has been leveraging the strong, direct implementation of bcrypt for some time. WordPress, with its massive user base and commitment to backward compatibility, has undertaken a more gradual but ultimately significant upgrade to a customized and more secure bcrypt-based system. Both platforms are now converging on modern, industry-standard password hashing practices, which is a positive development for the security of the web as a whole.
Sources
Beta Was this translation helpful? Give feedback.
All reactions