Checks the plaintext password against the encrypted Password.

Maintains compatibility between old version and the new cookie authentication protocol using PHPass library. The $hash parameter is the encrypted password and the function compares the plain text password when encrypted similarly against the already encrypted password to see if they match.

For integration with other applications, this function can be overwritten to instead use the other package password checking algorithm.


wp_check_password( $password, $hash, $user_id = '' )
 (string) Plaintext user's password
 (string) Hash of the user's password to check against.
Default: ''


(boolean) False, if the $password does not match the hashed password


function wp_check_password($password, $hash, $user_id = '') {
	global $wp_hasher;

	// If the hash is still md5...
	if ( strlen($hash) <= 32 ) {
		$check = ( $hash == md5($password) );
		if ( $check && $user_id ) {
			// Rehash using new hash.
			wp_set_password($password, $user_id);
			$hash = wp_hash_password($password);

		 * Filter whether the plaintext password matches the encrypted password.
		 * @since 2.5.0
		 * @param bool   $check   Whether the passwords match.
		 * @param string $hash    The hashed password.
		 * @param int    $user_id User ID.
17 more lines...
WP Trac GitHub

Link here