Title: MD5 encryption. Last modified: March 29, 2023 --- # MD5 encryption. * Resolved [h299](https://wordpress.org/support/users/h299/) * (@h299) * [3 years, 2 months ago](https://wordpress.org/support/topic/md5-encryption/) * A site was hacked a while ago called _[ gratuitous link removed ]_ exposing personal data, and it used md5 for encryption if I remember correctly. The problem is WordPress uses MD5 unless I’m mistaken, and I have read about it being unsecure = hackable, so is this true and if so when is WordPress going to do something about it ? - This topic was modified 3 years, 2 months ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/). - This topic was modified 3 years, 2 months ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/). Viewing 2 replies - 1 through 2 (of 2 total) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [3 years, 2 months ago](https://wordpress.org/support/topic/md5-encryption/#post-16607040) * > and it used md5 for encryption if I remember correctly * That’s not correct and is not why sites are hacked. Plugin and Theme vulnerabilities from an unmaintained site is a much faster and simpler attack vector. * > and if so when is WordPress going to do something about it ? * Never? Nothing? * Those statements from me will solicit at least a whole blog post from one or more deranged, perseverate, and frankly desperate for attention plugin “security” company. * _*Drinks coffee*_ * I am not part of the Security Team at WordPress and none-breaking code updates to improve all the the things, including security, happen all the time. * Here’s what I mean: if someone gets a hold of your back up and it includes your` wp-config.php` file and your database dump as well, then yes. Game over. * _Double Edit:_ Geez, I need more coffee. Hashes can’t be un-hashed, it’s a one way function. At best you can see if the salt+password hash matches a dictionary. Use strong passwords, “Password123” is definetly in many password dictionaries. * Secure your backups well. If your backups live on your WordPress server and an attacker got them that way then don’t worry about WordPress security. You probably have bigger problems. * There are things you can do to aid yourself in securing your system. * **Use salts in your `wp-config.php` file.** * [https://api.wordpress.org/secret-key/1.1/salt/](https://api.wordpress.org/secret-key/1.1/salt/) * This article explains that in-depth. * [https://kinsta.com/knowledgebase/wordpress-salts/](https://kinsta.com/knowledgebase/wordpress-salts/) * **Use Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA).** * _Disclaimer:_ I work for a company that sells MFA among other security items. * With 2FA or MFA you can add a component to your login that will help lots. With _some 2FA_ is may be possible to get in via that backup and the 2FA config (probably not, I have not looked in a while) but with a cloud based MFA the authentication is configured on your site and the actual auth part is done in the cloud. * This is a good 2FA plugin and is used by many. It supports RFC time based and FIDO hardware (Yubikey) authentication. * [https://wordpress.org/plugins/two-factor/](https://wordpress.org/plugins/two-factor/) * Does that help answer your question about MD5 and why it doesn’t matter as much as it may seem? - This reply was modified 3 years, 2 months ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/). Reason: Added link to 2FA plugin - This reply was modified 3 years, 2 months ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/). Reason: Updated re un-hash - This reply was modified 3 years, 2 months ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/). Reason: Geez, I need more coffee * Thread Starter [h299](https://wordpress.org/support/users/h299/) * (@h299) * [3 years, 2 months ago](https://wordpress.org/support/topic/md5-encryption/#post-16607083) * Yes, and many thanks. I think I’m going to use YubiKey and will check out the plugin you recommended. Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘MD5 encryption.’ is closed to new replies. * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 3 replies * 2 participants * Last reply from: [h299](https://wordpress.org/support/users/h299/) * Last activity: [3 years, 2 months ago](https://wordpress.org/support/topic/md5-encryption/#post-16607083) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics