Wordpress v6.8 Bcrypt - hmac-sha384
-
As announced on February 17, 2025, Wordpress is switching their hash function to their own rolled version of bcrypt:
bcrypt(base64(hmac-sha384(key="wp-sha384", password)))How the WordPress custom bcrypt works:
Prehash: h = HMAC-SHA384(key="wp-sha384", msg=password)Encode: b = base64(h)Bcrypt: bcrypt(b, salt, cost) stored with the $wp$2y$ prefix
Example hash:plain
$wp$2y$10$607XKVrBjPEqujeOXNwbYuOJ.gPMd2TelMMknmeV70Kap1E81Ovo6:hashpwnWordpress Announcement:
https://make.wordpress.org/core/2025/02/17/wordpress-6-8-will-use-bcrypt-for-password-hashing/
If you need to generate a test hash or hash:plain, hashgen
v1.2.0-devsupports this algo:hashgen -m wpbcrypt
https://github.com/cyclone-github/hashgen
Thanks to @penguinkeeper's PR,
hashcat 7.xnow supports this algo as-m 35500:
https://github.com/hashcat/hashcat/pull/4512echo hashpwn | ./hashcat -m 35500 -a 0 --potfile-disable '$wp$2y$10$607XKVrBjPEqujeOXNwbYuOJ.gPMd2TelMMknmeV70Kap1E81Ovo6'
For those not running the latest hashcat beta, you can also crack these with the Rust bridge.
Hashcat wpbcrypt bridge conversion script:
# convert $wp$... hashes to hashcat bridge format ./wp2hashcat.py < wp_hash.txtwp2hashcat.py#!/usr/bin/env python3 import sys for line in sys.stdin: s = line.strip().removeprefix("$wp$") if not s.startswith("$"): s = "$" + s _, algo, cost, rest = s.split("$", 3) print(f"{s}*{cost}*{rest[:22]}")Example hashcat rust bridge command:echo hashpwn | ./hashcat -m 74000 -a0 -w3 --session=bridge --potfile-disable \ '$2y$10$607XKVrBjPEqujeOXNwbYuOJ.gPMd2TelMMknmeV70Kap1E81Ovo6*10*607XKVrBjPEqujeOXNwbYu' \ --bridge-parameter1 ./bridges/subs/dynamic_hash.so \ --bridge-parameter2 'bcrypt2y(cost=$s1,salt=$s2,hmac_sha384:b64(key="wp-sha384",$p))'Starting attack in stdin mode $2y$10$607XKVrBjPEqujeOXNwbYuOJ.gPMd2TelMMknmeV70Kap1E81Ovo6*10*607XKVrBjPEqujeOXNwbYu:hashpwn Session..........: bridge Status...........: Cracked Hash.Mode........: 74000 (Generic Hash [Bridged: Rust]) Hash.Target......: $2y$10$607XKVrBjPEqujeOXNwbYuOJ.gPMd2TelMMknmeV70Ka...XNwbYu Time.Started.....: Mon Sep 29 15:10:57 2025 (0 secs) Time.Estimated...: Mon Sep 29 15:10:57 2025 (0 secs) Kernel.Feature...: Pure Kernel (password length 0-256 bytes) Guess.Base.......: Pipe Speed.#*.........: 19 H/s Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 1 Rejected.........: 0 Restore.Point....: 0 Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#01...: hashpwn -> hashpwn Hardware.Mon.#01.: Temp: 34c Fan: 0% Util: 25% Core:2625MHz Mem:10251MHz Bus:1 Started: Mon Sep 29 15:10:53 2025 Stopped: Mon Sep 29 15:10:59 2025Sysadmin by day | Hacker by night | Go Dev | hashpwn
3x RTX 4090 3x RTX 2080ti
Forum Rules
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login