One of my biggest security-related concerns - was the fact that WordPress does NOT ever update the hashed user passwords. There are several other CMS’s in use which do like: “AirShip”, and I believe Drupal might. This would be as simple as rehashing a user-password after so many times that user’s account is logged in. This could be done during the particular log-in action if a “log-in counter” reached the count that determined when a “refreshing” of the user’s password is due.
Note, this is NOT the same as actually changing a user-password.
IF possible,
An additional administrative setting would allow the administrator to set the rehash timing count to whatever value was deemed appropriate, based on the level of activity of the blog. - Again, this rehashing the user-password would happen when the user is logging in. So very little processor time would be consumed in performing this function.
Being that ClassicPress is targeted to work in PHP 7 and newer,
Then there is no need to use a “portable” password-hashing module with the backwards-compatibility code in it any longer. (Speaking of the “PHPASS” module.) It could be changed to prefer using PHP’s built-in ARGON2ID password-hashing, while still allowing older sites - still using the old PHPASS methods - to continue using the older PHP password-hashing functions.
I am more than willing to help out with the conceptual coding, at least of the new password-hashing module as part of the solution.
But the main important point I wanted to stress on - was that ClassicPress could benefit with a bit more improved security - by periodically rehashing the user-passwords in the database, and that it could be done with very light use of the computing resources.