A solid practice in protecting user credentials is to never store passwords in plaintext on the server. Modern content management systems and PHP frameworks leverage strong one-way functions to store only hashes of passwords. This technique protects your users should your database ever be breached by an attacker. An even stronger mechanism, however, would never send a plaintext password to the server in the first place.