JPKCom Enable Argon2 — Guide & Tips

JPKCom Enable Argon2 switches your WordPress password hashes to Argon2id — the memory- and compute-hard winner of the Password Hashing Competition. Useful when you want to go beyond the bcrypt default that WordPress ships since 6.8.

Guide

Requirements

WordPress 6.9 or newer
PHP 8.3 or newer with Argon2id support (PASSWORD_ARGON2ID)
Multisite is supported (the plugin is network-enabled)

Installation

In your admin panel, go to Plugins → Add New and click Upload Plugin.
Choose the plugin's ZIP file and click Install Now.
Click Activate.

There is no settings page — once active, the plugin takes effect automatically.

How it works

Since WordPress 6.8 the core uses bcrypt for password hashes by default (previously phpass). This plugin enables Argon2id instead. Argon2id is designed to be memory-hard, which makes GPU-based brute-force attacks considerably harder. For background on the core change, see the WordPress core post on password hashing.

Tips & Tricks

Existing hashes migrate gradually: WordPress only rehashes a password on the user's next successful login. The switch to Argon2id therefore happens over time — no mass reset required. For sensitive accounts you can force a password reset so the new algorithm applies immediately.
Check Argon2id support: Make sure your PHP environment knows Argon2id (the PASSWORD_ARGON2ID constant is present). Otherwise the algorithm is unavailable.
Only one plugin should own hashing: If another security plugin also touches password hashing, clarify responsibilities — otherwise the methods override each other.
Reproducible updates: Since version 2.0.2 the plugin uses secure self-hosted updates via GitHub with SHA256 checksums and runs with declare(strict_types=1).

Guide

Requirements

Installation

How it works

Tips & Tricks

Further reading