WebToolsPlanet
Security Tools

WordPress Password Hash Generator

Create a WordPress-compatible phpass ($P$) password hash from a password, salt, and work factor — entirely in your browser.

phpass $P$Custom saltWordPressBrowser based

Last updated: May 30, 2026

Client-Side Processing
Input Data Stays on Device
Instant Local Execution

Find this tool useful? Support the project to keep it free!

Buy me a coffee

What is WordPress Password Hash Generator?

WordPress stores user passwords using the phpass "portable" hashing scheme, which produces strings that start with $P$. Each hash combines an 8-character salt with thousands of iterations of MD5 to slow down brute-force attacks.

This generator builds the same $P$ hash you would get from WordPress's wp_hash_password(). You control the salt and the work factor (the iteration exponent), so you can reproduce a specific hash or experiment with stronger settings. WordPress uses an exponent of 13, which is 8,192 iterations.

How to Use WordPress Password Hash Generator

1

Enter the password you want to hash (use test data, not a real password)

2

Set an 8-character salt or click Random to generate one

3

Pick the work factor — 13 matches the WordPress default

4

Copy the generated $P$ hash

Common Use Cases

  • Reproducing a WordPress phpass hash for testing or migration.
  • Seeding a local WordPress database with a known password hash.
  • Understanding how the $P$ portable hash format is structured.
  • Comparing phpass output against another implementation or a hashcat vector.

Example Input and Output

Reproduce the well-known phpass test vector for the password "hashcat" with salt 84478476 and work factor 11.

Password / salt / work factor
hashcat · salt 84478476 · 2^11
WordPress $P$ hash
$P$984478476IagS59wHZvyQMArzfx58u.

How This Tool Works

The tool builds the phpass setting ($P$ + work-factor char + salt), computes MD5(salt + password), then re-hashes MD5(hash + password) 2^N times, and encodes the final 16-byte digest with the phpass base64 alphabet — all locally.

Technical Stack

TypeScriptphpassMD5Web Crypto saltClient-side hashing

Format

$P$ + work-factor char + 8-char salt + 22-char encoded MD5 digest = a 34-character hash.

Security

phpass with iterated MD5 is acceptable for legacy WordPress, but new systems should prefer bcrypt or Argon2. Always use unique, random salts in production.

Frequently Asked Questions

What is a $P$ hash?
It is the phpass "portable" password hash format used by WordPress: $P$, a work-factor character, an 8-character salt, and an encoded iterated-MD5 digest.
How many iterations does WordPress use?
WordPress uses a work-factor exponent of 13, which is 2^13 = 8,192 iterations of MD5.
Why is the salt only 8 characters?
phpass uses a fixed 8-character salt drawn from its own base64 alphabet (./0-9A-Za-z). The salt is embedded in the hash so verification needs no extra storage.
Can I verify a password against an existing hash?
Yes — paste the original salt and work factor from an existing $P$ hash, enter the candidate password, and compare the generated hash to the stored one.
Is my password uploaded?
No. The password, salt, and every MD5 iteration are processed entirely in your browser.

Related Tools

MD5 Hash Generator
Generate RFC 1321 MD5 hashes from UTF-8 text locally in your browser for legacy checksums and compatibility checks.
SHA256 Hash Generator
Generate SHA-256 hashes from UTF-8 text locally in your browser with uppercase output and copy support.
Password Strength Checker
Test how secure your password is — get an entropy score, estimated crack time, and actionable tips.
Password Generator
Generate cryptographically secure random passwords using crypto.getRandomValues() — customizable length, character sets, and entropy calculation.
Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text.
CRC-16 Hash Generator
Generate CRC-16/IBM ARC checksums from UTF-8 text locally in your browser with uppercase output and copy support.