Generate WordPress Password Hashes

Generate WordPress-compatible password hashes for authorized recovery, migration, testing, and controlled account-management workflows.

Setup
Generate and verify WordPress-compatible hashes

Reset Input

WordPress Hash Workbench
Enter password, verify existing hash, and prepare SQL reset statement.
Ready
Max length: 50 characters
Result
Hash output, SQL template, and recovery checklist

Reset Output

Post-reset checklist: 1) Log in and change password immediately. 2) Force logout other sessions. 3) Rotate any potentially exposed credentials.

Compatible with WordPress v3.x, v4.x, v5.x, v6.x and newer.

Try These Related Tools
Bcrypt Hash Generator
Whirlpool Hash Generator
Argon2 Hash Generator
Crypto Hash Encoder
Snefru Hash Tool
MD4 Hash Generator
CRC32 Hash Generator
MD2 Hash Encoder

About the WordPress Password Hash Generator

The WordPress Password Hash Generator produces WordPress-compatible password hashes using the phpass algorithm — the same hashing scheme WordPress uses to store passwords in the wp_users table. Use it to manually reset a WordPress user password directly in the database when you cannot access the admin panel, or to generate test password hashes for WordPress development and migration work.

How to Use

  • Enter the plaintext password you want to hash.
  • Click Generate Hash. The tool produces a WordPress-compatible phpass hash string (beginning with $P$).
  • Copy the hash and update the user_pass column in the wp_users table for the target user.
  • Log in to WordPress using the plaintext password — WordPress will verify it against the stored hash and rehash it using the current algorithm if configured.

How to Reset a WordPress Password via Database

When the admin panel is inaccessible (locked out, forgotten password, broken email), update the password directly in the database:

  1. Open phpMyAdmin, MySQL Workbench, or connect via the MySQL CLI.
  2. Run: SELECT ID, user_login, user_pass FROM wp_users; to identify the user.
  3. Generate a hash for the new password using this tool.
  4. Run: UPDATE wp_users SET user_pass = '[generated hash]' WHERE user_login = 'your_username';
  5. Clear any active sessions by deleting session tokens: DELETE FROM wp_usermeta WHERE meta_key = 'session_tokens' AND user_id = [user ID];
  6. Log in to WordPress with the new password.

What is phpass?

phpass (Portable PHP password hashing framework) is the password hashing library used by WordPress since version 2.5. It predates modern password hashing algorithms and was a significant security improvement over the plain MD5 hashes WordPress used before it.

  • Algorithm — phpass uses MD5 stretched through multiple iterations with a random salt. The output begins with $P$B for WordPress (or $H$9 for phpBB).
  • Hash format$P$B[22 characters]. The B encodes the iteration count (210 = 1,024 iterations). The following 8 characters are the random salt. The remaining 22 characters are the Base64-encoded hash output.
  • Limitations — phpass is based on MD5, which is fast on modern hardware and GPUs. It is significantly weaker than bcrypt, Argon2, or scrypt for resisting offline brute-force attacks. WordPress 6.8+ introduced bcrypt as an optional upgrade.

WordPress Password Hashing Evolution

  • WordPress 2.4 and earlier — Plain MD5 hashes. No salt, no iterations. A single GPU can check billions of MD5 hashes per second — these hashes are trivially cracked from dictionaries and rainbow tables.
  • WordPress 2.5–6.7 — phpass with MD5 and 1,024 iterations. Still MD5-based but significantly harder than plain MD5. Recognisable by the $P$B prefix.
  • WordPress 6.8+ — bcrypt support added. New passwords and password resets use bcrypt ($2y$ prefix). Existing phpass hashes continue to work and are upgraded to bcrypt on next login.

Frequently Asked Questions

Why does my manually set hash not work?
Verify that the hash string was copied completely without truncation — phpass hashes are exactly 34 characters ($P$B + 8-character salt + 22-character hash). Also confirm you are updating the correct wp_users row (check the ID or user_login). Some database tools add invisible whitespace — use a SQL UPDATE with the hash in quotes rather than copy-pasting into a GUI field.
Can I use a plain MD5 hash directly in wp_users?
WordPress detects legacy plain MD5 hashes (32-character hex strings without the $P$ prefix) and upgrades them automatically on first login. This means setting a plain MD5 hash will work as a temporary measure, but it is insecure. Always use a phpass or bcrypt hash for any password that will be used in production.
What is the WP_ADMIN_PASSWORD or wp_set_password function?
wp_set_password( $password, $user_id ) is the WordPress function for changing a user password programmatically from within WordPress (e.g., in a plugin, functions.php, or WP-CLI). It handles hashing internally and is the preferred method over direct SQL updates when WordPress is accessible. This tool is for when WordPress itself is inaccessible.
How do I reset a password using WP-CLI?
If WP-CLI is available on the server: wp user update [user_id] --user_pass="newpassword". WP-CLI handles phpass/bcrypt hashing correctly and is safer than direct database manipulation. This tool is useful when neither the admin panel nor WP-CLI is accessible.
Does this work for WordPress multisite?
Yes. In WordPress multisite, users are stored in the main site's wp_users table (shared across all sites). Update the user_pass field in that shared table. The network admin account is also in this table.

Being able to break security doesn’t make you a hacker anymore than being able to hotwire cars makes you an automotive engineer.

Eric Raymond

CodersTool Categories
Data & Format
Data & Format Tools
Encode Decode Tools
Base64 Tools
Unicode UTF Tools
Text Tools
Database Tools
Developer
Developer Tools
Code Editor Tools
Database Tools
Test Data Tools
Dev Calculators
Web & Markup
Site Diagnostics
Meta & Schema Tools
Network & Security
Network Tools
Security Tools
Encryption Tools
Reference
Cheat Sheets
Blog