Wordpress password system

Hi guys,  

I have been asked by a client to migrate an existing website to Wordpress. The problem is that the old site used a custom method of hashing/salting passwords and as such, at present, no-one can login using the Wordpress system (which obviously has its own hashing system).

I came across this plugin which seems to convert the hashing system to md5 - is the best thing to alter it to my needs (in which case it seems that wp_check_password() and wp_hash_password() are the functions to change) -

Or any other plugins/ideas out there?

Thanks in advance
Who is Participating?
Jason C. LevineNo oneCommented:
I'm starting to wonder if your best course of action would be to write a plugin that continues to use the original custom hash and override wp_hash_password() and wp_get_password() completely...

However, you should be able to grab the values inside of pluggable.php.  So long as the forms are posted from within WordPress the variables should be available for use.  Where you get into trouble is dealing with forms posted outside of WordPress and trying to carry those variables in.
The md5 is fine.

The problem is "the old site used a custom method" and unless you don't know which "custom method" of hashing, you will not be able to reuse the old passwords.

So even with md5 no one will be able to login with its old password.
Everybody must change its password or changing password using the old one. But this step is necessary.

Or you are lucky and the old one was md5 :-)

dosserAuthor Commented:
Thanks for the response. I do know what the old method was and so can replicate it, but I've discovered another problem. The old method used a combination of username and password, and generated a hash based on that (bit more complicated because of strrev and adding dates etc but that is the general idea). If it was just the password, I could drop the old method into wp_hash_password/wp_check_password but that only accepts ($password) as an argument (i.e. not $username as well which I would need). For changing the password once a user is already logged in, I can use the username variable form 'global $current_user'. But how can I get round it from a login or register perspective? I need some way to access the $_POST variables but don't want to have to go through the entirety of the wordpress changing each instance of wp_hash_password/wp_check_password
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

dosserAuthor Commented:
One easy way would be to be able to access $_POST variables in pluggable.php. Anyone know if that is possible?
Jason C. LevineNo oneCommented:
>> I could drop the old method into wp_hash_password/wp_check_password but that only accepts ($password) as an argument (i.e. not
>> $username as well which I would need).

Couldn't you combine $password and $username outside of wp_hash_password() to a new variable and then push it through?

Also, if you can somehow get a MD5 version of the password, you can put that directly into the password field in wp-users and it will work...
dosserAuthor Commented:
Problem is that there are so many places the wp_hash_password is used that it is unrealistic to sift through the code and find them all, hence a way of grabbing the $_POST variables would be much easier
Jason C. LevineNo oneCommented:
Sorry, maybe I am misunderstanding what you are trying to do.  

My read of this is you only need to import your users into the wp-users table but preserving the password.  If you can create a hash of the password that wordpress will understand (either MD5 or using wp_hash_password()) you can then import your users straight into the wp-users tables and be done with it.  Correct me if I am misreading your need.

The following script is what I use (albeit when I get a new client they tended to not have hashed passwords), perhaps it gives you a starting point:

include 'wp-blog-header.php';
include 'wp-includes/registration.php';
include 'wp-includes/pluggable.php';
//ini_set("max_execution_time", "240");
global $wpdb;

<h1>WordPress External User Import</h1>

// MySQL connection string and query

$connection = mysql_connect("servername", "username", "password") or die("Unable to connect to MySQL");
mysql_select_db("databse", $connection) or die("Unable to connect to the database");
$result = mysql_query("SELECT * FROM tabletoimportfrom;");

// Loop through the users

	while ($row = mysql_fetch_object($result)) {
		echo "<strong>ID:</strong>".$row->id." <strong>login:</strong>".$row->user_name." <strong>password:</strong> ".$row->password." <strong>e-mail:</strong>".$row->email_address." <strong>name:</strong> ".$row->name." <strong>surname:</strong> ".$row->surname."<br/>";

/* Make sure you add an ID columns to trick WP.  This is important to do.  Pick the next id from WP users and manually increment in the source table if you have to */

// Import to wp-users

		$add_id = 'INSERT INTO '.$wpdb->users.' (id, user_login) VALUES ("'. $row->id. '","'.$row->user_name.'" ); ';
        	mysql_query($add_id) or die(mysql_error());

// Use internal WP function to flesh out the user record.

		$userdata = array(
		 'ID' => $row->id,
		 'user_login' => $row->user_name,
		 'user_pass' => wp_hash_password($row->password),
		 'user_nicename' => $row->name." ".$row->surname,
		 'user_email' => $row->email_address,
		 'first_name'  => $row->name,
		 'last_name'  => $row->surname,
		 'role' => 'subscriber'
		wp_insert_user($userdata) ;

// Clean up


Open in new window

dosserAuthor Commented:
Sorry, not explaining myself very well. The old database of existing users already stores passwords as hashed values (i.e. not plain text). I have no way of retrieving the plain text versions. I now see that simply changing the method of the hash is easy (e.g. that MD5 plugin I initially quoted). The problem is the way the old system hashed its passwords - i.e. by combining username and password (and some other stuff) means that I need to get the username value of any $_POST form as well as the password. The method wp_hash_password only accepts one variable ($password) and I need both password and username to be passed. In a simple case, just combining both together (e.g. $password.$username) would be fine - but because of the complexity of Wordpress, there are lots and lots of places that I would need combine these two. Hence, I wonder if there was a way to retrieve the $_POST variables from pluggable.php (where wp_check_password and wp_hash_password are found)
Jason C. LevineNo oneCommented:
>> In a simple case, just combining both together (e.g. $password.$username) would be fine - but because of the complexity of Wordpress,
>> there are lots and lots of places that I would need combine these two.

This is where I am not understanding the flow.  In theory, you only need to do it once...during the import to wp-users.  
dosserAuthor Commented:
Think of it this way - if my password was $'myPass', username was '$myUser' then the actual password string stored in the database is NOT $myPass but is more like md5($myPass.$myUser.$otherStuff) i.e. a long string (e.g. $hashPass)

Hence, to match $hashPass, I would need both $myPass and $myUser
dosserAuthor Commented:
And just to clarify, in the database, I have the contents of $myUser (which is the username) but NOT $myPass (the plain text password)
dosserAuthor Commented:
Jason, have realised after much thought that I can actually get the variable info I need (from wp_check_password via $user_id). From that, I can successfully match the old hash type and then convert it to the proper wordpress one via matching the string length (as in the MD5 plugin above), Thanks for putting me on the right track, and will try out your code for the bulk importing above.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.