Wordpress password system

Posted on 2011-09-23
Last Modified: 2012-05-12
Hi guys,  

I have been asked by a client to migrate an existing website to Wordpress. The problem is that the old site used a custom method of hashing/salting passwords and as such, at present, no-one can login using the Wordpress system (which obviously has its own hashing system).

I came across this plugin which seems to convert the hashing system to md5 - is the best thing to alter it to my needs (in which case it seems that wp_check_password() and wp_hash_password() are the functions to change) - 

Or any other plugins/ideas out there?

Thanks in advance
Question by:dosser
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4

Expert Comment

ID: 36585894
The md5 is fine.

The problem is "the old site used a custom method" and unless you don't know which "custom method" of hashing, you will not be able to reuse the old passwords.

So even with md5 no one will be able to login with its old password.
Everybody must change its password or changing password using the old one. But this step is necessary.

Or you are lucky and the old one was md5 :-)


Author Comment

ID: 36585972
Thanks for the response. I do know what the old method was and so can replicate it, but I've discovered another problem. The old method used a combination of username and password, and generated a hash based on that (bit more complicated because of strrev and adding dates etc but that is the general idea). If it was just the password, I could drop the old method into wp_hash_password/wp_check_password but that only accepts ($password) as an argument (i.e. not $username as well which I would need). For changing the password once a user is already logged in, I can use the username variable form 'global $current_user'. But how can I get round it from a login or register perspective? I need some way to access the $_POST variables but don't want to have to go through the entirety of the wordpress changing each instance of wp_hash_password/wp_check_password

Author Comment

ID: 36586172
One easy way would be to be able to access $_POST variables in pluggable.php. Anyone know if that is possible?
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 70

Expert Comment

by:Jason C. Levine
ID: 36588281
>> I could drop the old method into wp_hash_password/wp_check_password but that only accepts ($password) as an argument (i.e. not
>> $username as well which I would need).

Couldn't you combine $password and $username outside of wp_hash_password() to a new variable and then push it through?

Also, if you can somehow get a MD5 version of the password, you can put that directly into the password field in wp-users and it will work...

Author Comment

ID: 36588340
Problem is that there are so many places the wp_hash_password is used that it is unrealistic to sift through the code and find them all, hence a way of grabbing the $_POST variables would be much easier
LVL 70

Expert Comment

by:Jason C. Levine
ID: 36588621
Sorry, maybe I am misunderstanding what you are trying to do.  

My read of this is you only need to import your users into the wp-users table but preserving the password.  If you can create a hash of the password that wordpress will understand (either MD5 or using wp_hash_password()) you can then import your users straight into the wp-users tables and be done with it.  Correct me if I am misreading your need.

The following script is what I use (albeit when I get a new client they tended to not have hashed passwords), perhaps it gives you a starting point:

include 'wp-blog-header.php';
include 'wp-includes/registration.php';
include 'wp-includes/pluggable.php';
//ini_set("max_execution_time", "240");
global $wpdb;

<h1>WordPress External User Import</h1>

// MySQL connection string and query

$connection = mysql_connect("servername", "username", "password") or die("Unable to connect to MySQL");
mysql_select_db("databse", $connection) or die("Unable to connect to the database");
$result = mysql_query("SELECT * FROM tabletoimportfrom;");

// Loop through the users

	while ($row = mysql_fetch_object($result)) {
		echo "<strong>ID:</strong>".$row->id." <strong>login:</strong>".$row->user_name." <strong>password:</strong> ".$row->password." <strong>e-mail:</strong>".$row->email_address." <strong>name:</strong> ".$row->name." <strong>surname:</strong> ".$row->surname."<br/>";

/* Make sure you add an ID columns to trick WP.  This is important to do.  Pick the next id from WP users and manually increment in the source table if you have to */

// Import to wp-users

		$add_id = 'INSERT INTO '.$wpdb->users.' (id, user_login) VALUES ("'. $row->id. '","'.$row->user_name.'" ); ';
        	mysql_query($add_id) or die(mysql_error());

// Use internal WP function to flesh out the user record.

		$userdata = array(
		 'ID' => $row->id,
		 'user_login' => $row->user_name,
		 'user_pass' => wp_hash_password($row->password),
		 'user_nicename' => $row->name." ".$row->surname,
		 'user_email' => $row->email_address,
		 'first_name'  => $row->name,
		 'last_name'  => $row->surname,
		 'role' => 'subscriber'
		wp_insert_user($userdata) ;

// Clean up


Open in new window


Author Comment

ID: 36588709
Sorry, not explaining myself very well. The old database of existing users already stores passwords as hashed values (i.e. not plain text). I have no way of retrieving the plain text versions. I now see that simply changing the method of the hash is easy (e.g. that MD5 plugin I initially quoted). The problem is the way the old system hashed its passwords - i.e. by combining username and password (and some other stuff) means that I need to get the username value of any $_POST form as well as the password. The method wp_hash_password only accepts one variable ($password) and I need both password and username to be passed. In a simple case, just combining both together (e.g. $password.$username) would be fine - but because of the complexity of Wordpress, there are lots and lots of places that I would need combine these two. Hence, I wonder if there was a way to retrieve the $_POST variables from pluggable.php (where wp_check_password and wp_hash_password are found)
LVL 70

Expert Comment

by:Jason C. Levine
ID: 36588948
>> In a simple case, just combining both together (e.g. $password.$username) would be fine - but because of the complexity of Wordpress,
>> there are lots and lots of places that I would need combine these two.

This is where I am not understanding the flow.  In theory, you only need to do it once...during the import to wp-users.  

Author Comment

ID: 36589099
Think of it this way - if my password was $'myPass', username was '$myUser' then the actual password string stored in the database is NOT $myPass but is more like md5($myPass.$myUser.$otherStuff) i.e. a long string (e.g. $hashPass)

Hence, to match $hashPass, I would need both $myPass and $myUser

Author Comment

ID: 36589135
And just to clarify, in the database, I have the contents of $myUser (which is the username) but NOT $myPass (the plain text password)
LVL 70

Accepted Solution

Jason C. Levine earned 500 total points
ID: 36589234
I'm starting to wonder if your best course of action would be to write a plugin that continues to use the original custom hash and override wp_hash_password() and wp_get_password() completely...

However, you should be able to grab the values inside of pluggable.php.  So long as the forms are posted from within WordPress the variables should be available for use.  Where you get into trouble is dealing with forms posted outside of WordPress and trying to carry those variables in.

Author Closing Comment

ID: 36591047
Jason, have realised after much thought that I can actually get the variable info I need (from wp_check_password via $user_id). From that, I can successfully match the old hash type and then convert it to the proper wordpress one via matching the string length (as in the MD5 plugin above), Thanks for putting me on the right track, and will try out your code for the bulk importing above.

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you think that WordPress is just for blogs?  Think again!  WordPress is really a fantastic all around platform that you can use to develop websites on.  Integrated into its basic functionality is the ability to create pages using your choice of a…
In order to have all security and back ups taken care of, WordPress users can sign up for services with WP Engine.
The purpose of this video is to demonstrate how to create a Printer Friendly PDF on a WordPress Page. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome Screenshot” Google Chrome Extension, and Log…
The purpose of this video is to demonstrate how to Import and export files in WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: : Click on Too…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question