: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in
return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
if ( ! function_exists( 'wp_hash' ) ) :
* Gets hash of given string.
* @param string $data Plain text to hash.
* @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce).
* @return string Hash of $data.
function wp_hash( $data, $scheme = 'auth' ) {
$salt = wp_salt( $scheme );
return hash_hmac( 'md5', $data, $salt );
if ( ! function_exists( 'wp_hash_password' ) ) :
* Creates a hash (encrypt) of a plain text password.
* For integration with other applications, this function can be overwritten to
* instead use the other package password checking algorithm.
* @global PasswordHash $wp_hasher PHPass object.
* @param string $password Plain text user password to hash.
* @return string The hash string of the password.
function wp_hash_password( $password ) {
if ( empty( $wp_hasher ) ) {
require_once ABSPATH . WPINC . '/class-phpass.php';
// By default, use the portable hash from phpass.
$wp_hasher = new PasswordHash( 8, true );
return $wp_hasher->HashPassword( trim( $password ) );
if ( ! function_exists( 'wp_check_password' ) ) :
* Checks the plaintext password against the encrypted Password.
* Maintains compatibility between old version and the new cookie authentication
* protocol using PHPass library. The $hash parameter is the encrypted password
* and the function compares the plain text password when encrypted similarly
* against the already encrypted password to see if they match.
* For integration with other applications, this function can be overwritten to
* instead use the other package password checking algorithm.
* @global PasswordHash $wp_hasher PHPass object used for checking the password
* against the $hash + $password.
* @uses PasswordHash::CheckPassword
* @param string $password Plaintext user's password.
* @param string $hash Hash of the user's password to check against.
* @param string|int $user_id Optional. User ID.
* @return bool False, if the $password does not match the hashed password.
function wp_check_password( $password, $hash, $user_id = '' ) {
// If the hash is still md5...
if ( strlen( $hash ) <= 32 ) {
$check = hash_equals( $hash, md5( $password ) );
if ( $check && $user_id ) {
// Rehash using new hash.
wp_set_password( $password, $user_id );
$hash = wp_hash_password( $password );
* Filters whether the plaintext password matches the encrypted password.
* @param bool $check Whether the passwords match.
* @param string $password The plaintext password.
* @param string $hash The hashed password.
* @param string|int $user_id User ID. Can be empty.
return apply_filters( 'check_password', $check, $password, $hash, $user_id );
* If the stored hash is longer than an MD5,
* presume the new style phpass portable hash.
if ( empty( $wp_hasher ) ) {
require_once ABSPATH . WPINC . '/class-phpass.php';
// By default, use the portable hash from phpass.
$wp_hasher = new PasswordHash( 8, true );
$check = $wp_hasher->CheckPassword( $password, $hash );
/** This filter is documented in wp-includes/pluggable.php */
return apply_filters( 'check_password', $check, $password, $hash, $user_id );
if ( ! function_exists( 'wp_generate_password' ) ) :
* Generates a random password drawn from the defined set of characters.
* Uses wp_rand() to create passwords with far less predictability
* than similar native PHP functions like `rand()` or `mt_rand()`.
* @param int $length Optional. The length of password to generate. Default 12.
* @param bool $special_chars Optional. Whether to include standard special characters.
* @param bool $extra_special_chars Optional. Whether to include other special characters.
* Used when generating secret keys and salts. Default false.
* @return string The random password.
function wp_generate_password( $length = 12, $special_chars = true, $extra_special_chars = false ) {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
if ( $extra_special_chars ) {
$chars .= '-_ []{}<>~`+=,.;:/?|';
for ( $i = 0; $i < $length; $i++ ) {
$password .= substr( $chars, wp_rand( 0, strlen( $chars ) - 1 ), 1 );
* Filters the randomly-generated password.
* @since 5.3.0 Added the `$length`, `$special_chars`, and `$extra_special_chars` parameters.
* @param string $password The generated password.
* @param int $length The length of password to generate.
* @param bool $special_chars Whether to include standard special characters.
* @param bool $extra_special_chars Whether to include other special characters.
return apply_filters( 'random_password', $password, $length, $special_chars, $extra_special_chars );
if ( ! function_exists( 'wp_rand' ) ) :
* Generates a random non-negative number.
* @since 4.4.0 Uses PHP7 random_int() or the random_compat library if available.
* @since 6.1.0 Returns zero instead of a random number if both `$min` and `$max` are zero.
* @global string $rnd_value
* @param int $min Optional. Lower limit for the generated number.
* Accepts positive integers or zero. Defaults to 0.
* @param int $max Optional. Upper limit for the generated number.
* Accepts positive integers. Defaults to 4294967295.
* @return int A random non-negative number between min and max.
function wp_rand( $min = null, $max = null ) {
* Some misconfigured 32-bit environments (Entropy PHP, for example)
* truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
$max_random_number = 3000000000 === 2147483647 ? (float) '4294967295' : 4294967295; // 4294967295 = 0xffffffff
$max = $max_random_number;
// We only handle ints, floats are truncated to their integer value.
// Use PHP's CSPRNG, or a compatible method.
static $use_random_int_functionality = true;
if ( $use_random_int_functionality ) {
// wp_rand() can accept arguments in either order, PHP cannot.
$_max = max( $min, $max );
$_min = min( $min, $max );
$val = random_int( $_min, $_max );
$use_random_int_functionality = false;
$use_random_int_functionality = false;
} catch ( Exception $e ) {
$use_random_int_functionality = false;
* Reset $rnd_value after 14 uses.
* 32 (md5) + 40 (sha1) + 40 (sha1) / 8 = 14 random numbers from $rnd_value.
if ( strlen( $rnd_value ) < 8 ) {
if ( defined( 'WP_SETUP_CONFIG' ) ) {
$seed = get_transient( 'random_seed' );
$rnd_value = md5( uniqid( microtime() . mt_rand(), true ) . $seed );
$rnd_value .= sha1( $rnd_value );
$rnd_value .= sha1( $rnd_value . $seed );
$seed = md5( $seed . $rnd_value );
if ( ! defined( 'WP_SETUP_CONFIG' ) && ! defined( 'WP_INSTALLING' ) ) {
set_transient( 'random_seed', $seed );
// Take the first 8 digits for our value.
$value = substr( $rnd_value, 0, 8 );
// Strip the first eight, leaving the remainder for the next call to wp_rand().
$rnd_value = substr( $rnd_value, 8 );
$value = abs( hexdec( $value ) );
// Reduce the value to be within the min - max range.
$value = $min + ( $max - $min + 1 ) * $value / ( $max_random_number + 1 );
return abs( (int) $value );
if ( ! function_exists( 'wp_set_password' ) ) :
* Updates the user's password with a new encrypted one.
* For integration with other applications, this function can be overwritten to
* instead use the other package password checking algorithm.
* Please note: This function should be used sparingly and is really only meant for single-time
* application. Leveraging this improperly in a plugin or theme could result in an endless loop
* of password resets if precautions are not taken to ensure it does not execute on every page load.
* @global wpdb $wpdb WordPress database abstraction object.
* @param string $password The plaintext new user password.
* @param int $user_id User ID.
function wp_set_password( $password, $user_id ) {
$hash = wp_hash_password( $password );
'user_activation_key' => '',
array( 'ID' => $user_id )
clean_user_cache( $user_id );
* Fires after the user password is set.
* @param string $password The plaintext password just set.
* @param int $user_id The ID of the user whose password was just set.
do_action( 'wp_set_password', $password, $user_id );
if ( ! function_exists( 'get_avatar' ) ) :
* Retrieves the avatar `<img>` tag for a user, email address, MD5 hash, comment, or post.
* @since 4.2.0 Added the optional `$args` parameter.
* @since 5.5.0 Added the `loading` argument.
* @since 6.1.0 Added the `decoding` argument.
* @since 6.3.0 Added the `fetchpriority` argument.
* @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash,
* user email, WP_User object, WP_Post object, or WP_Comment object.
* @param int $size Optional. Height and width of the avatar in pixels. Default 96.
* @param string $default_value URL for the default image or a default type. Accepts:
* - '404' (return a 404 instead of a default image)
* - 'retro' (a 8-bit arcade-style pixelated face)
* - 'monsterid' (a monster)
* - 'wavatar' (a cartoon face)
* - 'identicon' (the "quilt", a geometric pattern)
* - 'mystery', 'mm', or 'mysteryman' (The Oyster Man)
* - 'blank' (transparent GIF)
* - 'gravatar_default' (the Gravatar logo)
* Default is the value of the 'avatar_default' option,
* with a fallback of 'mystery'.
* @param string $alt Optional. Alternative text to use in the avatar image tag.
* Optional. Extra arguments to retrieve the avatar.
* @type int $height Display height of the avatar in pixels. Defaults to $size.
* @type int $width Display width of the avatar in pixels. Defaults to $size.
* @type bool $force_default Whether to always show the default image, never the Gravatar.
* @type string $rating What rating to display avatars up to. Accepts:
* - 'G' (suitable for all audiences)
* - 'PG' (possibly offensive, usually for audiences 13 and above)
* - 'R' (intended for adult audiences above 17)
* - 'X' (even more mature than above)
* Default is the value of the 'avatar_rating' option.
* @type string $scheme URL scheme to use. See set_url_scheme() for accepted values.
* @type array|string $class Array or string of additional classes to add to the img element.
* @type bool $force_display Whether to always show the avatar - ignores the show_avatars option.
* @type string $loading Value for the `loading` attribute.
* @type string $fetchpriority Value for the `fetchpriority` attribute.
* @type string $decoding Value for the `decoding` attribute.
* @type string $extra_attr HTML attributes to insert in the IMG element. Is not sanitized.
* @return string|false `<img>` tag for the user's avatar. False on failure.
function get_avatar( $id_or_email, $size = 96, $default_value = '', $alt = '', $args = null ) {
// get_avatar_data() args.
'default' => get_option( 'avatar_default', 'mystery' ),
'force_default' => false,
'rating' => get_option( 'avatar_rating' ),
'force_display' => false,
$args['size'] = (int) $size;
$args['default'] = $default_value;
$args = wp_parse_args( $args, $defaults );
if ( empty( $args['height'] ) ) {
$args['height'] = $args['size'];
if ( empty( $args['width'] ) ) {
$args['width'] = $args['size'];
// Update args with loading optimized attributes.
$loading_optimization_attr = wp_get_loading_optimization_attributes( 'img', $args, 'get_avatar' );
$args = array_merge( $args, $loading_optimization_attr );
if ( is_object( $id_or_email ) && isset( $id_or_email->comment_ID ) ) {
$id_or_email = get_comment( $id_or_email );
* Allows the HTML for a user's avatar to be returned early.
* Returning a non-null value will effectively short-circuit get_avatar(), passing
* the value through the {@see 'get_avatar'} filter and returning early.
* @param string|null $avatar HTML for the user's avatar. Default null.
* @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash,
* user email, WP_User object, WP_Post object, or WP_Comment object.
* @param array $args Arguments passed to get_avatar_url(), after processing.
$avatar = apply_filters( 'pre_get_avatar', null, $id_or_email, $args );
if ( ! is_null( $avatar ) ) {
/** This filter is documented in wp-includes/pluggable.php */
return apply_filters( 'get_avatar', $avatar, $id_or_email, $args['size'], $args['default'], $args['alt'], $args );
if ( ! $args['force_display'] && ! get_option( 'show_avatars' ) ) {
$url2x = get_avatar_url( $id_or_email, array_merge( $args, array( 'size' => $args['size'] * 2 ) ) );
$args = get_avatar_data( $id_or_email, $args );
if ( ! $url || is_wp_error( $url ) ) {
$class = array( 'avatar', 'avatar-' . (int) $args['size'], 'photo' );
if ( ! $args['found_avatar'] || $args['force_default'] ) {
$class[] = 'avatar-default';
if ( is_array( $args['class'] ) ) {
$class = array_merge( $class, $args['class'] );
$class[] = $args['class'];
// Add `loading`, `fetchpriority`, and `decoding` attributes.
$extra_attr = $args['extra_attr'];
if ( in_array( $args['loading'], array( 'lazy', 'eager' ), true )
&& ! preg_match( '/\bloading\s*=/', $extra_attr )
if ( ! empty( $extra_attr ) ) {
$extra_attr .= "loading='{$args['loading']}'";
if ( in_array( $args['fetchpriority'], array( 'high', 'low', 'auto' ), true )
&& ! preg_match( '/\bfetchpriority\s*=/', $extra_attr )
if ( ! empty( $extra_attr ) ) {
$extra_attr .= "fetchpriority='{$args['fetchpriority']}'";
if ( in_array( $args['decoding'], array( 'async', 'sync', 'auto' ), true )
&& ! preg_match( '/\bdecoding\s*=/', $extra_attr )
if ( ! empty( $extra_attr ) ) {
$extra_attr .= "decoding='{$args['decoding']}'";
"<img alt='%s' src='%s' srcset='%s' class='%s' height='%d' width='%d' %s/>",
esc_attr( $args['alt'] ),
esc_url( $url2x ) . ' 2x',
esc_attr( implode( ' ', $class ) ),
* Filters the HTML for a user's avatar.
* @since 4.2.0 Added the `$args` parameter.
* @param string $avatar HTML for the user's avatar.
* @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash,
* user email, WP_User object, WP_Post object, or WP_Comment object.
* @param int $size Height and width of the avatar in pixels.
* @param string $default_value URL for the default image or a default type. Accepts:
* - '404' (return a 404 instead of a default image)
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
