diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index e84c075333..30905fca5e 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -1900,7 +1900,9 @@ function wp_login($username, $password, $already_md5 = false) {
$error = __('Error: Wrong login.');
return false;
} else {
- if ( ($already_md5 && $login->user_login == $username && $login->user_pass == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
+ // If the password is already_md5, it has been double hashed.
+ // Otherwise, it is plain text.
+ if ( ($already_md5 && $login->user_login == $username && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
return true;
} else {
$error = __('Error: Incorrect password.');
diff --git a/wp-login.php b/wp-login.php
index 5c9bae8040..d944f3a96e 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -159,7 +159,7 @@ default:
if ($log && $pwd) {
if ( wp_login($log, $pwd) ) {
$user_login = $log;
- $user_pass = md5($pwd);
+ $user_pass = md5(md5($pwd)); // Double hash the password in the cookie.
setcookie('wordpressuser_'. COOKIEHASH, $user_login, time() + 31536000, COOKIEPATH);
setcookie('wordpresspass_'. COOKIEHASH, $user_pass, time() + 31536000, COOKIEPATH);