How to Verify WordPress Password Hash in Python/Django?

Please provide an example of a plaintext and the corresponding hashed password.

maybe first encrypt/hash password and see if it is simmilar to password in database. It may explain if you use correct method or it needs someting totally different.

Here's an example throwaway password and hash combination:

plaintext password: Mdd2#4E7!qf1C7wyvvJi^(Wo

WordPress hashed password: $2y$12$FIBdkza4o8tgDnl.tBpJUOq6vFJEkmeJEZHLrfbX.3sY8lpTqLNSC

Thanks. I tried this, and I was able to generate a similar hash with bcrypt, which verified successfully. One difference was that the hash generated by bcrypt started with $2b instead of $2y. However, when I swapped out the b for a y, it still worked. The hash itself was obviously different, due to the random salt being applied each time, but the structure looks the same.

I cannot figure out how to answer the question properly, because the "Answer" button is missing, but I did find the answer, so I'll post it in a comment here. Turns out that WordPress runs the hash_hmac function on the password first, and then runs base64_encode function on it before hashing it, so to verify it in Python, you need to also run the equivalent functions on it before verifying the hash.

import base64, bcrypt, hashlib, hmac

password = input('password')

bcrypt.checkpw(
    base64.b64encode(hmac.new('wp-sha384'.encode('utf-8'), password.encode('utf-8'), hashlib.sha384).digest()),
    wordpress_users[0]['user_pass'][3:].encode("utf-8"),
)

References:

• https://developer.wordpress.org/reference/functions/wp_check_password/
• https://developer.wordpress.org/reference/functions/wp_hash_password/
• https://www.php.net/manual/en/function.hash-hmac.php
• https://docs.python.org/3/library/hmac.html