[eisa01]

Wow, Wordpress still use MD5 hashes for passwords? That's really taking backward compatibility with old PHP versions too far!

https://github.com/roots/wp-password-bcrypt#readme https://core.trac.wordpress.org/ticket/21022

[jeroenhd]

Assuming you use unique passwords for your services, I think the crackability of a password isn't too big of a risk. You need to find a password dump somewhere for a specific website. I'd wager that most WordPress instances have only a few (if more than one) users in their database, you won't easily find a WordPress dump with a million passwords in it.

With an admin password you can probably upload some executable code, but if you can find a database dump online I doubt you'll have too much effort exploiting a WordPress plugin anyway.

[9dev]

You do realise 70% of the web is powered by Wordpress, including huge communities and platforms? That most people do not, in fact, use unique passwords per service? That password dumps are easy to find online? That haveibeenpwnd is a thing?

Just because Wordpress plugins are notoriously bad quality, you absolutely shouldn’t be lax with password security.

[iLoveOncall]

It's not about backwards compatibility. It's about sheer incompetence of the WordPress developers.

I have never seen such a badly coded mess.

I ask every downvoter to prove me wrong. I'm sure none of them have ever seen any piece of WordPress code (or documentation, or anything else).