# JPKCom Enable Argon2 — Guide & Tips > How to switch WordPress password hashes to Argon2id with JPKCom Enable Argon2 — installation, requirements and practical migration tips. Source: https://www.jpkc.com/db/en/guides/jpkcom-argon2/ JPKCom Enable Argon2 switches your WordPress password hashes to **Argon2id** — the memory- and compute-hard winner of the Password Hashing Competition. Useful when you want to go beyond the bcrypt default that WordPress ships since 6.8. ## Guide ### Requirements - WordPress **6.9** or newer - PHP **8.3** or newer with Argon2id support (`PASSWORD_ARGON2ID`) - Multisite is supported (the plugin is network-enabled) ### Installation 1. In your admin panel, go to **Plugins → Add New** and click **Upload Plugin**. 2. Choose the plugin's ZIP file and click **Install Now**. 3. Click **Activate**. There is **no settings page** — once active, the plugin takes effect automatically. ### How it works Since WordPress 6.8 the core uses bcrypt for password hashes by default (previously phpass). This plugin enables Argon2id instead. Argon2id is designed to be memory-hard, which makes GPU-based brute-force attacks considerably harder. For background on the core change, see the [WordPress core post on password hashing](https://make.wordpress.org/core/2025/02/17/wordpress-6-8-will-use-bcrypt-for-password-hashing/). ## Tips & Tricks - **Existing hashes migrate gradually:** WordPress only rehashes a password on the user's next successful login. The switch to Argon2id therefore happens over time — no mass reset required. For sensitive accounts you can force a password reset so the new algorithm applies immediately. - **Check Argon2id support:** Make sure your PHP environment knows Argon2id (the `PASSWORD_ARGON2ID` constant is present). Otherwise the algorithm is unavailable. - **Only one plugin should own hashing:** If another security plugin also touches password hashing, clarify responsibilities — otherwise the methods override each other. - **Reproducible updates:** Since version 2.0.2 the plugin uses secure self-hosted updates via GitHub with SHA256 checksums and runs with `declare(strict_types=1)`. ## Further reading - Source code on GitHub: - API documentation (PHPDoc): - Background: [WordPress 6.8 & password hashing](https://make.wordpress.org/core/2025/02/17/wordpress-6-8-will-use-bcrypt-for-password-hashing/) - [This project's changelog](https://www.jpkc.com/db/en/changelog/jpkcom-argon2/)