The return value of wp_hash_password() is determined by one of the following:
\PasswordHash::HashPassword() – always returns a non-falsy-string.password_hash() – returns a non-falsy-string for valid algorithms. For invalid algorithms, it gives a warning and returns null on PHP 7 and throws a ValueError on PHP 8.base64_encode(hash_hmac()) – returns a non-falsy-string for valid algorithms. For invalid algorithms, it gives a warning and returns an empty string ('') on PHP 7 and throws a ValueError on PHP 8.'*'.
The applied algorithm is filterable and not validated. Consequently, the overall return type is string|null on PHP 7 and non-falsy-string on PHP 8.
Leaving this here for future reference, or in case somebody wishes to take it up.
The return value of
wp_hash_password()is determined by one of the following:\PasswordHash::HashPassword()– always returns anon-falsy-string.password_hash()– returns anon-falsy-stringfor valid algorithms. For invalid algorithms, it gives a warning and returnsnullon PHP 7 and throws aValueErroron PHP 8.base64_encode(hash_hmac())– returns anon-falsy-stringfor valid algorithms. For invalid algorithms, it gives a warning and returns an empty string ('') on PHP 7 and throws aValueErroron PHP 8.'*'.The applied algorithm is filterable and not validated. Consequently, the overall return type is
string|nullon PHP 7 andnon-falsy-stringon PHP 8.Leaving this here for future reference, or in case somebody wishes to take it up.