#21022 Switch to using bcrypt for hashing passwords

.github/workflows/performance.yml

@@ -33,7 +33,7 @@ jobs:
   # Runs the performance test suite.
   performance:
     name: ${{ matrix.multisite && 'Multisite' || 'Single site' }}
-    uses: WordPress/wordpress-develop/.github/workflows/reusable-performance.yml@trunk
+    uses: ./.github/workflows/reusable-performance.yml
     permissions:
       contents: read
     if: ${{ ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }}

.github/workflows/reusable-performance.yml

@@ -45,7 +45,7 @@ env:
   LOCAL_SAVEQUERIES: false
   LOCAL_WP_DEVELOPMENT_MODE: "''"
 
-  # This workflow takes two sets of measurements — one for the current commit,
+  # This workflow takes three measurements — one against the current commit, one against the previous commit,
   # and another against a consistent version that is used as a baseline measurement.
   # This is done to isolate variance in measurements caused by the GitHub runners
   # from differences caused by code changes between commits. The BASE_TAG value here
@@ -62,48 +62,55 @@ env:
 
 jobs:
   # Performs the following steps:
-  # - Configure environment variables.
-  # - Checkout repository.
-  # - Determine the target SHA value (on `workflow_dispatch` only).
-  # - Set up Node.js.
-  # - Log debug information.
-  # - Install npm dependencies.
-  # - Install Playwright browsers.
-  # - Build WordPress.
-  # - Start Docker environment.
-  # - Install object cache drop-in.
-  # - Log running Docker containers.
-  # - Docker debug information.
-  # - Install WordPress.
-  # - Enable themes on Multisite.
-  # - Install WordPress Importer plugin.
-  # - Import mock data.
-  # - Deactivate WordPress Importer plugin.
-  # - Update permalink structure.
-  # - Install additional languages.
-  # - Disable external HTTP requests.
-  # - Disable cron.
-  # - List defined constants.
-  # - Install MU plugin.
-  # - Run performance tests (current commit).
-  # - Download previous build artifact (target branch or previous commit).
-  # - Download artifact.
-  # - Unzip the build.
-  # - Run any database upgrades.
-  # - Flush cache.
-  # - Delete expired transients.
-  # - Run performance tests (previous/target commit).
-  # - Set the environment to the baseline version.
-  # - Run any database upgrades.
-  # - Flush cache.
-  # - Delete expired transients.
-  # - Run baseline performance tests.
-  # - Archive artifacts.
-  # - Compare results.
-  # - Add workflow summary.
-  # - Set the base sha.
-  # - Set commit details.
-  # - Publish performance results.
+  # - Setup:
+  #   - Configure environment variables.
+  #   - Checkout repository.
+  #   - Determine the target SHA value (on `workflow_dispatch` only).
+  #   - Set up Node.js.
+  #   - Log debug information.
+  #   - Install npm dependencies.
+  #   - Install Playwright browsers.
+  #   - Build WordPress.
+  #   - Start Docker environment.
+  #   - Install object cache drop-in.
+  #   - Log running Docker containers.
+  #   - Docker debug information.
+  #   - Install WordPress.
+  #   - Enable themes on Multisite.
+  #   - Install WordPress Importer plugin.
+  #   - Import mock data.
+  #   - Deactivate WordPress Importer plugin.
+  #   - Update permalink structure.
+  #   - Install additional languages.
+  #   - Disable external HTTP requests.
+  #   - Disable cron.
+  #   - List defined constants.
+  #   - Install MU plugin.
+  # - Run the baseline tests:
+  #   - Set the environment to the baseline version
+  #   - Run baseline performance tests.
+  # - Run the previous build tests:
+  #   - Download previous build artifact (target branch or previous commit).
+  #   - Download artifact.
+  #   - Unzip the build.
+  #   - Run any database upgrades.
+  #   - Flush cache.
+  #   - Delete expired transients.
+  #   - Run performance tests (previous/target commit).
+  # - Run the current tests:
+  #   - Set the environment to the current version.
+  #   - Run the build.
+  #   - Run any database upgrades.
+  #   - Flush cache.
+  #   - Delete expired transients.
+  #   - Run current performance tests.
+  # - Store and publish results:
+  #   - Archive artifacts.
+  #   - Compare results.
+  #   - Add workflow summary.
+  #   - Set the base sha.
+  #   - Set commit details.
+  #   - Publish performance results.
   # - Ensure version-controlled files are not modified or deleted.
   performance:
     name: ${{ inputs.multisite && 'Multisite' || 'Single site' }} / ${{ inputs.memcached && 'Memcached' || 'Default' }}
@@ -219,9 +226,30 @@ jobs:
           mkdir ./${{ env.LOCAL_DIR }}/wp-content/mu-plugins
           cp ./tests/performance/wp-content/mu-plugins/server-timing.php ./${{ env.LOCAL_DIR }}/wp-content/mu-plugins/server-timing.php
 
-      - name: Run performance tests (current commit)
+
+      # ============================
+      # Run the baseline tests first
+      # ============================
+
+      - name: Set the environment to the baseline version
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }}
+        run: |
+          VERSION="${{ env.BASE_TAG }}"
+          VERSION="${VERSION%.0}"
+          npm run env:cli -- core update --version=$VERSION --force --path=/var/www/${{ env.LOCAL_DIR }}
+          npm run env:cli -- core version --path=/var/www/${{ env.LOCAL_DIR }}
+
+      - name: Run baseline performance tests
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }}
+        env:
+          TEST_RESULTS_PREFIX: base
         run: npm run test:performance
 
+
+      # ============================
+      # Run the previous build tests
+      # ============================
+
       - name: Download previous build artifact (target branch or previous commit)
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         id: get-previous-build
@@ -276,13 +304,13 @@ jobs:
           TEST_RESULTS_PREFIX: before
         run: npm run test:performance
 
-      - name: Set the environment to the baseline version
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }}
-        run: |
-          VERSION="${{ env.BASE_TAG }}"
-          VERSION="${VERSION%.0}"
-          npm run env:cli -- core update --version=$VERSION --force --path=/var/www/${{ env.LOCAL_DIR }}
-          npm run env:cli -- core version --path=/var/www/${{ env.LOCAL_DIR }}
+
+      # =====================
+      # Run the current tests
+      # =====================
+
+      - name: Build WordPress
+        run: npm run build
 
       - name: Run any database upgrades
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }}
@@ -296,12 +324,14 @@ jobs:
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }}
         run: npm run env:cli -- transient delete --expired --path=/var/www/${{ env.LOCAL_DIR }}
 
-      - name: Run baseline performance tests
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }}
-        env:
-          TEST_RESULTS_PREFIX: base
+      - name: Run performance tests (current commit)
         run: npm run test:performance
 
+
+      # =========================
+      # Store and publish results
+      # =========================
+
       - name: Archive artifacts
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: always()

composer.json

@@ -10,6 +10,7 @@
 		"issues": "https://core.trac.wordpress.org/"
 	},
 	"require": {
+		"ext-hash": "*",
 		"ext-json": "*",
 		"php": ">=7.2.24"
 	},

src/wp-admin/includes/class-wp-site-health.php

@@ -923,7 +923,7 @@ public function get_test_php_extensions() {
 			),
 			'hash'      => array(
 				'function' => 'hash',
-				'required' => false,
+				'required' => true,
 			),
 			'imagick'   => array(
 				'extension' => 'imagick',

src/wp-admin/includes/upgrade.php

@@ -965,6 +965,7 @@ function upgrade_101() {
  *
  * @ignore
  * @since 1.2.0
+ * Since x.y.z User passwords are no longer hashed with md5.
  *
  * @global wpdb $wpdb WordPress database abstraction object.
  */
@@ -980,13 +981,6 @@ function upgrade_110() {
 		}
 	}
 
-	$users = $wpdb->get_results( "SELECT ID, user_pass from $wpdb->users" );
-	foreach ( $users as $row ) {
-		if ( ! preg_match( '/^[A-Fa-f0-9]{32}$/', $row->user_pass ) ) {
-			$wpdb->update( $wpdb->users, array( 'user_pass' => md5( $row->user_pass ) ), array( 'ID' => $row->ID ) );
-		}
-	}
-
 	// Get the GMT offset, we'll use that later on.
 	$all_options = get_alloptions_110();
 

src/wp-includes/class-wp-application-passwords.php

@@ -60,6 +60,7 @@ public static function is_in_use() {
 	 *
 	 * @since 5.6.0
 	 * @since 5.7.0 Returns WP_Error if application name already exists.
+	 * @since x.y.z The hashed password value now uses wp_fast_hash() instead of phpass.
 	 *
 	 * @param int   $user_id  User ID.
 	 * @param array $args     {
@@ -95,7 +96,7 @@ public static function create_new_application_password( $user_id, $args = array(
 		}
 
 		$new_password    = wp_generate_password( static::PW_LENGTH, false );
-		$hashed_password = wp_hash_password( $new_password );
+		$hashed_password = self::hash_password( $new_password );
 
 		$new_item = array(
 			'uuid'      => wp_generate_uuid4(),
@@ -124,6 +125,7 @@ public static function create_new_application_password( $user_id, $args = array(
 		 * Fires when an application password is created.
 		 *
 		 * @since 5.6.0
+		 * @since x.y.z @since x.y.z The hashed password value now uses wp_fast_hash() instead of phpass.
 		 *
 		 * @param int    $user_id      The user ID.
 		 * @param array  $new_item     {
@@ -249,6 +251,7 @@ public static function application_name_exists_for_user( $user_id, $name ) {
 	 * Updates an application password.
 	 *
 	 * @since 5.6.0
+	 * @since x.y.z The actual password should now be hashed using wp_fast_hash().
 	 *
 	 * @param int    $user_id User ID.
 	 * @param string $uuid    The password's UUID.
@@ -296,6 +299,8 @@ public static function update_application_password( $user_id, $uuid, $update = a
 			 * Fires when an application password is updated.
 			 *
 			 * @since 5.6.0
+			 * @since x.y.z The password is now hashed using wp_fast_hash() instead of phpass.
+			 *              Existing passwords may still be hashed using phpass.
 			 *
 			 * @param int   $user_id The user ID.
 			 * @param array $item    {
@@ -464,4 +469,45 @@ public static function chunk_password( $raw_password ) {
 
 		return trim( chunk_split( $raw_password, 4, ' ' ) );
 	}
+
+	/**
+	 * Hashes a plaintext application password.
+	 *
+	 * @since x.y.z
+	 *
+	 * @param string $password Plaintext password.
+	 * @return string Hashed password.
+	 */
+	public static function hash_password( string $password ): string {
+		return wp_fast_hash( $password );
+	}
+
+	/**
+	 * Checks a plaintext application password against a hashed password.
+	 *
+	 * @since x.y.z
+	 *
+	 * @param string     $password Plaintext password.
+	 * @param string     $hash     Hash of the password to check against.
+	 * @return bool Whether the password matches the hashed password.
+	 */
+	public static function check_password( string $password, string $hash ): bool {
+		return wp_verify_fast_hash( $password, $hash );
+	}
+
+	/**
+	 * Checks whether a password hash needs to be rehashed.
+	 *
+	 * A password hashed in a prior version of WordPress may still be hashed with phpass and will
+	 * need to be rehashed. If the algorithm is changed in WordPress then a password hashed in a
+	 * previous version will need to be rehashed.
+	 *
+	 * @since x.y.z
+	 *
+	 * @param string $hash Hash of a password to check.
+	 * @return bool Whether the hash needs to be rehashed.
+	 */
+	public static function password_needs_rehash( string $hash ): bool {
+		return ! str_starts_with( $hash, '$generic$' );
+	}
 }