It's using Phpass by Solar Designer, which is not the same thing as merely "using MD5". Typically, I reserve that choice of words for constructions like this:
This MD5 code is still bad. They really should migrate to just using password_hash() and password_verify(), but they won't. They're committed to supporting PHP 5.2.x forever (or at least until every shared host in existence stops supporting 5.2, which is effectively forever).
We wrote a plugin for this a while ago that uses crypt(3) with 5000 rounds SHA-256 and a 96 bit salt – it's the safest method I found that fit within Wordpress' password hash column without altering it, even if I'd have preferred scrypt (argon2 wasn't out yet).
It's using Phpass by Solar Designer, which is not the same thing as merely "using MD5". Typically, I reserve that choice of words for constructions like this:
This MD5 code is still bad. They really should migrate to just using password_hash() and password_verify(), but they won't. They're committed to supporting PHP 5.2.x forever (or at least until every shared host in existence stops supporting 5.2, which is effectively forever).https://github.com/WordPress/WordPress/blob/6edbcc88ff5ba0ac...
Note that, on newer versions of PHP, bcrypt will be used instead of the method linked by this HN submission.