wp_check_password

The timeline below displays how wordpress function wp_check_password has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 6.3

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global PasswordHash $wp_hasher PHPass object used for checking the password
 *                                 against the $hash + $password.
 * @uses PasswordHash::CheckPassword
 *
 * @param string     $password Plaintext user's password.
 * @param string     $hash     Hash of the user's password to check against.
 * @param string|int $user_id  Optional. User ID.
 * @return bool False, if the $password does not match the hashed password.
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filters whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool       $check    Whether the passwords match.
         * @param string     $password The plaintext password.
         * @param string     $hash     The hashed password.
         * @param string|int $user_id  User ID. Can be empty.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    /*
     * If the stored hash is longer than an MD5,
     * presume the new style phpass portable hash.
     */
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass.
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 6.1

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global PasswordHash $wp_hasher PHPass object used for checking the password
 *                                 against the $hash + $password.
 * @uses PasswordHash::CheckPassword
 *
 * @param string     $password Plaintext user's password.
 * @param string     $hash     Hash of the user's password to check against.
 * @param string|int $user_id  Optional. User ID.
 * @return bool False, if the $password does not match the hashed password.
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filters whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool       $check    Whether the passwords match.
         * @param string     $password The plaintext password.
         * @param string     $hash     The hashed password.
         * @param string|int $user_id  User ID. Can be empty.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5,
    // presume the new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass.
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 5.5

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global PasswordHash $wp_hasher PHPass object used for checking the password
 *                                 against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string     $password Plaintext user's password
 * @param string     $hash     Hash of the user's password to check against.
 * @param string|int $user_id  Optional. User ID.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filters whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool       $check    Whether the passwords match.
         * @param string     $password The plaintext password.
         * @param string     $hash     The hashed password.
         * @param string|int $user_id  User ID. Can be empty.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5,
    // presume the new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass.
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 5.4

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global PasswordHash $wp_hasher PHPass object used for checking the password
 *  against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string     $password Plaintext user's password
 * @param string     $hash     Hash of the user's password to check against.
 * @param string|int $user_id  Optional. User ID.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filters whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool       $check    Whether the passwords match.
         * @param string     $password The plaintext password.
         * @param string     $hash     The hashed password.
         * @param string|int $user_id  User ID. Can be empty.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5,
    // presume the new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass.
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 5.1

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global PasswordHash $wp_hasher PHPass object used for checking the password
 *  against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string     $password Plaintext user's password
 * @param string     $hash     Hash of the user's password to check against.
 * @param string|int $user_id  Optional. User ID.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filters whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool       $check    Whether the passwords match.
         * @param string     $password The plaintext password.
         * @param string     $hash     The hashed password.
         * @param string|int $user_id  User ID. Can be empty.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 4.8

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global PasswordHash $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string     $password Plaintext user's password
 * @param string     $hash     Hash of the user's password to check against.
 * @param string|int $user_id  Optional. User ID.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filters whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool       $check    Whether the passwords match.
         * @param string     $password The plaintext password.
         * @param string     $hash     The hashed password.
         * @param string|int $user_id  User ID. Can be empty.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 4.7

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global PasswordHash $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string     $password Plaintext user's password
 * @param string     $hash     Hash of the user's password to check against.
 * @param string|int $user_id  Optional. User ID.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filters whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool       $check    Whether the passwords match.
         * @param string     $password The plaintext password.
         * @param string     $hash     The hashed password.
         * @param string|int $user_id  User ID. Can be empty.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 4.6

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global PasswordHash $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string     $password Plaintext user's password
 * @param string     $hash     Hash of the user's password to check against.
 * @param string|int $user_id  Optional. User ID.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filters whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool       $check    Whether the passwords match.
         * @param string     $password The plaintext password.
         * @param string     $hash     The hashed password.
         * @param string|int $user_id  User ID. Can be empty.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 4.5

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global PasswordHash $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string     $password Plaintext user's password
 * @param string     $hash     Hash of the user's password to check against.
 * @param string|int $user_id  Optional. User ID.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filter whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool       $check    Whether the passwords match.
         * @param string     $password The plaintext password.
         * @param string     $hash     The hashed password.
         * @param string|int $user_id  User ID. Can be empty.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 4.3

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global PasswordHash $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash     Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filter whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool   $check    Whether the passwords match.
         * @param string $password The plaintext password.
         * @param string $hash     The hashed password.
         * @param int    $user_id  User ID.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 4.1

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filter whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool   $check    Whether the passwords match.
         * @param string $password The plaintext password.
         * @param string $hash     The hashed password.
         * @param int    $user_id  User ID.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 0.1

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filter whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool   $check   Whether the passwords match.
         * @param string $hash    The hashed password.
         * @param int    $user_id User ID.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 4.0

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = $hash == md5($password);
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filter whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool   $check   Whether the passwords match.
         * @param string $hash    The hashed password.
         * @param int    $user_id User ID.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 9.3

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filter whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool   $check   Whether the passwords match.
         * @param string $hash    The hashed password.
         * @param int    $user_id User ID.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 9.2

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = $hash == md5($password);
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filter whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool   $check   Whether the passwords match.
         * @param string $hash    The hashed password.
         * @param int    $user_id User ID.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: .10

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filter whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool   $check   Whether the passwords match.
         * @param string $hash    The hashed password.
         * @param int    $user_id User ID.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 3.9

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = $hash == md5($password);
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        /**
         * Filter whether the plaintext password matches the encrypted password.
         *
         * @since 2.5.0
         *
         * @param bool   $check   Whether the passwords match.
         * @param string $hash    The hashed password.
         * @param int    $user_id User ID.
         */
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 8.5

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 8.4

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = $hash == md5($password);
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: .30

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 8.3

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = $hash == md5($password);
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: .20

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 8.2

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = $hash == md5($password);
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: .10

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 3.8

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = $hash == md5($password);
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: .40

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 7.4

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = $hash == md5($password);
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: .30

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 7.3

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = $hash == md5($password);
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: .20

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 7.2

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = $hash == md5($password);
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: .10

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = hash_equals($hash, md5($password));
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

WordPress Version: 3.7

/**
 * Checks the plaintext password against the encrypted Password.
 *
 * Maintains compatibility between old version and the new cookie authentication
 * protocol using PHPass library. The $hash parameter is the encrypted password
 * and the function compares the plain text password when encrypted similarly
 * against the already encrypted password to see if they match.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
 * @param string $password Plaintext user's password
 * @param string $hash Hash of the user's password to check against.
 * @return bool False, if the $password does not match the hashed password
 */
function wp_check_password($password, $hash, $user_id = '')
{
    global $wp_hasher;
    // If the hash is still md5...
    if (strlen($hash) <= 32) {
        $check = $hash == md5($password);
        if ($check && $user_id) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }
    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if (empty($wp_hasher)) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }
    $check = $wp_hasher->CheckPassword($password, $hash);
    return apply_filters('check_password', $check, $password, $hash, $user_id);
}