diff --git a/docs/conf/modules.conf.example b/docs/conf/modules.conf.example
index 837d51e6a..e6c8d11b6 100644
--- a/docs/conf/modules.conf.example
+++ b/docs/conf/modules.conf.example
@@ -1748,6 +1748,9 @@
 #
 # Generate hashes using the /MKPASSWD command on the server.
 # Don't run it on a server you don't trust with your password.
+#
+# You can also make the MKPASSWD command oper only by uncommenting this:
+#<mkpasswd operonly="yes">
 
 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
 # PBKDF2 module: Allows other modules to generate PBKDF2 hashes,
diff --git a/src/modules/m_password_hash.cpp b/src/modules/m_password_hash.cpp
index 814c33512..86611d908 100644
--- a/src/modules/m_password_hash.cpp
+++ b/src/modules/m_password_hash.cpp
@@ -88,6 +88,12 @@ class ModulePasswordHash : public Module
 	{
 	}
 
+	void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
+	{
+		ConfigTag* tag = ServerInstance->Config->ConfValue("mkpasswd");
+		cmd.flags_needed = tag->getBool("operonly") ? 'o' : 0;
+	}
+
 	ModResult OnPassCompare(Extensible* ex, const std::string &data, const std::string &input, const std::string &hashtype) CXX11_OVERRIDE
 	{
 		if (!hashtype.compare(0, 5, "hmac-", 5))