23 Comments

  1. John Blackbourn

    This is a welcome plugin, and I’ll most likely be implementing it on my sites once I’ve check it over, but what’s with the confrontational attitude from the Roots developers?

    “The WordPress core team simply doesn’t care enough about this issue to solve a UX problem which would make every WordPress site, and its users, more secure.”

    Where on the linked Trac ticket is there any suggestion that the core team, or anyone else for that matter, doesn’t care about this issue? There’s recent and ongoing discussion from multiple lead developers who quite clearly state their support for implementing bcrypt, but that WordPress cannot switch to bcrypt without first addressing the UX concern of users who migrate sites between servers that do or do not support it.

    We’re all in this together. Suggesting that the core team does not care about an issue is not productive. Let’s fix the UX concerns and then move this issue forward.

    Report

    • Scott Walkinshaw

      I didn’t say they don’t care. I said they don’t care enough. Which is pretty obvious to me since that ticket has been open for 4 years.

      We did research on this subject, made a plugin, wrote a blog post, and have brought attention to this issue which is all productive.

      Report

      • Matt van Andel

        WordPress core is a community effort. Unless someone steps up and takes charge of an issue, it won’t get solved.

        Want your plugin or any other fixes implemented? Participate in the weekly core meetings on Slack. Contribute code, time, solutions, UX tests & findings, etc.

        The “core team” is YOU.

        Report

      • mark k.

        What a BS. You need a commiter’s agreement in order to get code into core. Core is developed by the commiters to serve whatever needs they think worth serving, it is not a community development effort. (to be clear I don’t have any real problem with this structure, but to tell people like they just can write code and it will get into core is just stupid)

        Report

    • Austin Pray

      I’ll believe it when I see it.

      If someone doesn’t feed their dog for a week, I will have it on good authority that they don’t care enough about that dog. How much they say they care doesn’t matter.

      Report

      • Kerry Webster

        +1

        Report

      • Jeremy

        As a member of the WordPress community, this is your dog too. Do you care about your dog? If so, you should contribute to the trac ticket with your ideas on how to solve that UX issue.

        That’s the best way to move forward. Commenting here, being confrontational with the people who show up and contribute to WordPress, doesn’t “feed the dog”. How much you say you care doesn’t matter.

        Report

      • KTS915

        So it’s our dog too, Jeremy, is it? But only so long as we feed it only in the way you tell us to?

        Doesn’t work, does it?

        Some years ago, my wife’s parked car was badly damaged by a truck driver. While we got the car repaired, I wrote to the trucking company, explaining what had happened and asking politely that they pay the bill, for which I supplied the garage’s estimate. After some delay, they wrote back and declined.

        So then I wrote them a much more confrontational letter, detailing the full cost that we had, by then, paid. They replied almost immediately, complaining about my unpleasant tone … and enclosing a check for the full amount.

        When politeness has been tried and doesn’t work, sometimes confrontation is necessary. Those complaining about the confrontational tone are then hardly in a position to complain (though it’s sometimes amusing when they do).

        Report

  2. Hasan

    I have rolled this out after some testing across all my sites. I think the frustration of supporting EOL versions of php is fair a call. PHP 5.2 has been EOL for 5 years and 1 month. The time to move on and bump the minimum supported php version came a long time ago.

    Report

  3. Ryan Hellyer

    Three years ago, I suggested that once WordPress upgrades it’s PHP requirement to 5.3, then the switch should be made. The hold up here in my opinion is not this ticket about passwords, but related ones asking for the PHP version to be increased, which in turn are preventing the password ticket from being processed.

    Report

  4. Terence

    Well, it seems to be working OK by just dropping it into /mu-plugins/ folder BUT, not being a cryptographer, I could be kidding myself I have done something positive for the security of my site, because I have no way to tell if it’s working or not.

    Report

  5. Central Geek

    Backward compatibility vs. security.. that’s amusing. Four years, that’s not long … really.. is it?

    Thanks for this post.

    Report

  6. mark k.

    Thinking about it some more…. It is a weird discussion in which wordpress is trying to provide better security to sites running on by definition non secure php version. This is the list of security problem with 5.2 which probably no one is going to patch http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-106044/, and those are just the known ones :(

    Report

  7. Jeffrey

    If I install this plugin and later decide to remove it, will it mess up my login?

    Report

    • QWP6t

      The library that WordPress uses can handle bcrypt hashes. WordPress core goes out of their way to prevent the library from using it during hash creation, but it will fallback to it during verification.

      If any of that was confusing, then I’ll put it simply: No, it will not mess up your logins. They will continue to work even after removing the plugin. But the next time you create/change your password, the bcrypt hash will no longer be used.

      Report

  8. KTS915

    I have installed this on a couple of sites, and it seems to be working fine. I can see the different style of password hashes in the database, and logins, etc to continue to work as before. So all good.

    I am wondering, though, why the pull request here hasn’t been warmly received. To a non-coder like me, it seems a good idea to build in some future-proofing, and the proposer argues that it has no downside. Is that right?

    Report

  9. Tracy

    Hi, thanks for this article on improving the password safety for wordpress sites.

    I’m not a developer, just a wordpress user so hopefully someone can answer this.

    At the github site it mentions you need to have PHP 5.5.0 for this plugin to work, but I’m not sure how to know if I have this or not. Is this something that would be within wordpress, or is it my host? Or maybe it’s something I should have on my computer while installing the plugin?

    Thanks in advance for your help. I have things like wordfence running, and use 35 character random passwords to try and keep it secure, but it appears I should be implementing this plugin as well or the rest could be for nothing.

    Anyway, thanks again.

    Report

    • Primoz Cigler

      Hi Tracy,

      If you are on a shared hosting plan (I assume you are) you should write to your hosting provider and they can tell you which version of the PHP you are using now and also they can move your site to PHP 5.5.0 or later (5.6.0 is preferred).

      You cannot change the PHP within WP itself.

      Cheers!

      Report

    • Knut Sparhell

      Plugin WP-ServerInfo will report your PHP version, among many other server related parameters,

      Report

      • Tracy

        Thank you Primoz Cigler and Knut Sparhell, I appreciate your responses. I’ll look into it today and see what I can do. I’ve already had a site hacked a couple of times and taken precautions to prevent it and this just seems like something I better do to help ensure it doesn’t happen again, lol.

        Report

Comments are closed.

%d bloggers like this: