Ayesh Karunaratne

Yes.

Even as of WordPress 6.5, WordPress still uses the legacy phpass library to hash passwords, so this plugin still helps to use the more modern PHP native password hashing.

Ref: https://github.com/WordPress/wordpress-develop/blob/6.5.4/src/wp-includes/pluggable.php#L2536-L2545

This is by design. The hashes are updated when the user logs in the next time, or when changing password.

Existing passwords are not updated in bulk because the plugin cannot access the original password to re-hash; only when the user changes the password or when logging in.

Hi @whitedd – The plugin didn’t really receive any development lately, mainly because I was distracted with some other work, but also because of a legal issue with Meta that I only got resolved a couple months back.

I already started the ground work for a new version of this plugin, and I plan to work on it and release by next month. Thanks.

Hi @mushlih,
User password hashes are updated when the user logs into the web site, or when the user changes the password. This is by design, because the plugin cannot obtain the original password until the user types in the correct password.

This plugin works by hooking into the user login process, and validating the password against the new password hashing algorithm, or the WordPress’s default one. If the password is correct, and if the current algorithm is not what the plugin is configured with, it updates the password right then, because the plugin has access to the original password. It cannot bulk-update existing password hashes.

Hope this helps.

Cheers,
Ayesh.

Hi @mullibahr,

The plugin is to force the same-saite flag on session cookies. PHP natively supports this feature after PHP 7.3, but does not enable it by default. This plugin enables same-site flag on session cookies in all PHP versions. For PHP versions older than 7.3, it comes with a compatibility layer, but still enables it on all PHP versions.

Is the following configuration needed?

If you use LAX, you don’t have to set it because LAX is the default configuration from the plugin too. It doesn’t hurt to explicitly declare it though.

Hi @uuploe017 – thank you for opening this thread.

The plugin is still supported; I use it on my own web sites, and I will support it for the foreseeable future. It doesn’t have many “moving parts”, so I don’t publish updates to the plugin as often. But in case there is an incompatibility with a newer PHP version, I will update it ASAP.

Cheers,
Ayesh.

Unfortunately, nothing has changed since this plugin was created, so I think it still makes sense to continue to use this plugin.
There is a Trac ticket to update to a more recent version of phpass, but due to backwards compatibility impact, I don’t think WordPress will move to PHP native password hashing just yet. When it does, I will make sure to send an update that the plugin effectively asks site admin to delete the plugin because it’s no longer necessary.

Enter the test mode credentials for the merchant ID and password.

Hi @sermadnajar20,
Thanks for raising these questions.

So i basically install this plugin on a site, and it will change the Databse encryption method from MD5 to Argon2?

It is only for the WordPress user passwords. It does not encrypt the database entirely. The passwords are hashed, rather than encryption. Encryption implies they can be decrypted with the/a key. Hashing means it’s a one-way operation.

Because in my studies we figures it was pretty simple to decrypt a string, /password through online tables. But argon2 was not as simple.

Splitting hairs, I wouldn’t call it simple, because even the standard WordPress MD5 hashing is repeated several times to slow it down, and it uses a random value too, which makes online tables useless. But it’s computationally simpler compared to what it was 10-15 years ago. That’s why we have this plugin, to use a more computationally intensive algorithm.

So does the plugin truly secure the database?
And also, does the plugin get regular updates, or is that not even important? just want to make sure it works with current instalment of the WordPress version.

Like I said on the first quote, this plugin does one thing and does it well – switching the MD5-based password hashing to Argon2/Bcrypt. The entire database is not encrypted. To encrypt an entire database, look for database server-level encryption that you can apply for fields, tables, or even to the whole database.

Hope that answers the questions. feel free to ask if you like more clarification.

Cheers.

I just released v1.5 of this plugin for a fix that it sent a negative expiration time, making browsers immediately remove the cookie. I think that version should fix the issue. Thank you.

I just released v1.5 of this plugin for a fix that it sent a negative expiration time, making browsers immediately remove the cookie. I think that version should fix the issue. Thank you.

Hi @eliashol74 – could you share the URL that you are trying to embed? If it’s sensitive information, feel free to randomize numeric parts.

Hi @thomymaster,
This plugin uses the default hashing algorithm PHP itself suggests. From all versions PHP from 5.6 through 7.4 and even 8.0, that is bcrypt. Even if you don’t make any configuration changes, this plugin uses bcrypt. You need explicitly configure it to use Argon2(ID).

Hope that answers question. Feel free to re-open otherwise. Cheers.

Thanks for the information. I will close this ticket as it is working now. Please feel free to open a new one if it is still not working with the interferences cleared.

Hi @mbrackenridge , Thanks for the information.

I think the foremost check would be making sure the Facebook app is live. Facebook recently changed their app model, so the screenshots in the guide need some refreshing, but the app needs to be in live mode before the plugin can fetch any content from API.

Could you check if that’s the case?