Why Does WordPress Continue to Use MD5?
Rewind the tape a bit, and you’ll see that implementing a strong hashing algorithm into a PHP project wasn’t exactly a walk in the park. However, PHP 5.5 introduced official support for bcrypt, with native functions for both hashing passwords and verifying them during login attempts.
WordPress’s hashing mechanism does offer sufficient security at this time. Still, many people argue that keeping it as it is makes no sense given the availability of stronger algorithms that can be implemented without too much hassle.
Yet, WordPress’s development team seems strangely reluctant to make any changes to this particular part of the core. The reason for this is backward compatibility.
WordPress maintains its popularity and continues to grow its market share not only because it’s incredibly versatile and easy to use but also because it will run on just about any hosting platform. Far too many people use legacy systems to build new projects, and many existing websites run in woefully outdated hosting environments.
2023 article
How Does WordPress Hash Passwords?