Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Wordpress password system

Posted on 2011-09-23
Medium Priority
Last Modified: 2012-05-12
Hi guys,  

I have been asked by a client to migrate an existing website to Wordpress. The problem is that the old site used a custom method of hashing/salting passwords and as such, at present, no-one can login using the Wordpress system (which obviously has its own hashing system).

I came across this plugin which seems to convert the hashing system to md5 - is the best thing to alter it to my needs (in which case it seems that wp_check_password() and wp_hash_password() are the functions to change) -

Or any other plugins/ideas out there?

Thanks in advance
Question by:dosser
  • 7
  • 4

Expert Comment

ID: 36585894
The md5 is fine.

The problem is "the old site used a custom method" and unless you don't know which "custom method" of hashing, you will not be able to reuse the old passwords.

So even with md5 no one will be able to login with its old password.
Everybody must change its password or changing password using the old one. But this step is necessary.

Or you are lucky and the old one was md5 :-)


Author Comment

ID: 36585972
Thanks for the response. I do know what the old method was and so can replicate it, but I've discovered another problem. The old method used a combination of username and password, and generated a hash based on that (bit more complicated because of strrev and adding dates etc but that is the general idea). If it was just the password, I could drop the old method into wp_hash_password/wp_check_password but that only accepts ($password) as an argument (i.e. not $username as well which I would need). For changing the password once a user is already logged in, I can use the username variable form 'global $current_user'. But how can I get round it from a login or register perspective? I need some way to access the $_POST variables but don't want to have to go through the entirety of the wordpress changing each instance of wp_hash_password/wp_check_password

Author Comment

ID: 36586172
One easy way would be to be able to access $_POST variables in pluggable.php. Anyone know if that is possible?
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

LVL 70

Expert Comment

by:Jason C. Levine
ID: 36588281
>> I could drop the old method into wp_hash_password/wp_check_password but that only accepts ($password) as an argument (i.e. not
>> $username as well which I would need).

Couldn't you combine $password and $username outside of wp_hash_password() to a new variable and then push it through?

Also, if you can somehow get a MD5 version of the password, you can put that directly into the password field in wp-users and it will work...

Author Comment

ID: 36588340
Problem is that there are so many places the wp_hash_password is used that it is unrealistic to sift through the code and find them all, hence a way of grabbing the $_POST variables would be much easier
LVL 70

Expert Comment

by:Jason C. Levine
ID: 36588621
Sorry, maybe I am misunderstanding what you are trying to do.  

My read of this is you only need to import your users into the wp-users table but preserving the password.  If you can create a hash of the password that wordpress will understand (either MD5 or using wp_hash_password()) you can then import your users straight into the wp-users tables and be done with it.  Correct me if I am misreading your need.

The following script is what I use (albeit when I get a new client they tended to not have hashed passwords), perhaps it gives you a starting point:

include 'wp-blog-header.php';
include 'wp-includes/registration.php';
include 'wp-includes/pluggable.php';
//ini_set("max_execution_time", "240");
global $wpdb;

<h1>WordPress External User Import</h1>

// MySQL connection string and query

$connection = mysql_connect("servername", "username", "password") or die("Unable to connect to MySQL");
mysql_select_db("databse", $connection) or die("Unable to connect to the database");
$result = mysql_query("SELECT * FROM tabletoimportfrom;");

// Loop through the users

	while ($row = mysql_fetch_object($result)) {
		echo "<strong>ID:</strong>".$row->id." <strong>login:</strong>".$row->user_name." <strong>password:</strong> ".$row->password." <strong>e-mail:</strong>".$row->email_address." <strong>name:</strong> ".$row->name." <strong>surname:</strong> ".$row->surname."<br/>";

/* Make sure you add an ID columns to trick WP.  This is important to do.  Pick the next id from WP users and manually increment in the source table if you have to */

// Import to wp-users

		$add_id = 'INSERT INTO '.$wpdb->users.' (id, user_login) VALUES ("'. $row->id. '","'.$row->user_name.'" ); ';
        	mysql_query($add_id) or die(mysql_error());

// Use internal WP function to flesh out the user record.

		$userdata = array(
		 'ID' => $row->id,
		 'user_login' => $row->user_name,
		 'user_pass' => wp_hash_password($row->password),
		 'user_nicename' => $row->name." ".$row->surname,
		 'user_email' => $row->email_address,
		 'first_name'  => $row->name,
		 'last_name'  => $row->surname,
		 'role' => 'subscriber'
		wp_insert_user($userdata) ;

// Clean up


Open in new window


Author Comment

ID: 36588709
Sorry, not explaining myself very well. The old database of existing users already stores passwords as hashed values (i.e. not plain text). I have no way of retrieving the plain text versions. I now see that simply changing the method of the hash is easy (e.g. that MD5 plugin I initially quoted). The problem is the way the old system hashed its passwords - i.e. by combining username and password (and some other stuff) means that I need to get the username value of any $_POST form as well as the password. The method wp_hash_password only accepts one variable ($password) and I need both password and username to be passed. In a simple case, just combining both together (e.g. $password.$username) would be fine - but because of the complexity of Wordpress, there are lots and lots of places that I would need combine these two. Hence, I wonder if there was a way to retrieve the $_POST variables from pluggable.php (where wp_check_password and wp_hash_password are found)
LVL 70

Expert Comment

by:Jason C. Levine
ID: 36588948
>> In a simple case, just combining both together (e.g. $password.$username) would be fine - but because of the complexity of Wordpress,
>> there are lots and lots of places that I would need combine these two.

This is where I am not understanding the flow.  In theory, you only need to do it once...during the import to wp-users.  

Author Comment

ID: 36589099
Think of it this way - if my password was $'myPass', username was '$myUser' then the actual password string stored in the database is NOT $myPass but is more like md5($myPass.$myUser.$otherStuff) i.e. a long string (e.g. $hashPass)

Hence, to match $hashPass, I would need both $myPass and $myUser

Author Comment

ID: 36589135
And just to clarify, in the database, I have the contents of $myUser (which is the username) but NOT $myPass (the plain text password)
LVL 70

Accepted Solution

Jason C. Levine earned 2000 total points
ID: 36589234
I'm starting to wonder if your best course of action would be to write a plugin that continues to use the original custom hash and override wp_hash_password() and wp_get_password() completely...

However, you should be able to grab the values inside of pluggable.php.  So long as the forms are posted from within WordPress the variables should be available for use.  Where you get into trouble is dealing with forms posted outside of WordPress and trying to carry those variables in.

Author Closing Comment

ID: 36591047
Jason, have realised after much thought that I can actually get the variable info I need (from wp_check_password via $user_id). From that, I can successfully match the old hash type and then convert it to the proper wordpress one via matching the string length (as in the MD5 plugin above), Thanks for putting me on the right track, and will try out your code for the bulk importing above.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I want to start by talking about the use of plug-ins for WordPress. I started a web-site for a company I was working for a few years ago; I had extremely basic knowledge of HTML. I am a Graphic Designer by trade so I invited the opportunity as a cha…
In Part I (http://www.experts-exchange.com/Web_Development/Blogs/WordPress/A_8410-Getting-Started-In-WordPress-Part-I.html), I introduced you to the powerful WordPress backend, the WordPress administrative Dashboard.  In Part II, I will introduce yo…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
The purpose of this video is to demonstrate how to update a WordPress Site’s version. WordPress releases new versions of its software frequently and it is important to update frequently in order to keep your site secure, and to get new WordPress…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question