Wordpress password system

Posted on 2011-09-23
Last Modified: 2012-05-12
Hi guys,  

I have been asked by a client to migrate an existing website to Wordpress. The problem is that the old site used a custom method of hashing/salting passwords and as such, at present, no-one can login using the Wordpress system (which obviously has its own hashing system).

I came across this plugin which seems to convert the hashing system to md5 - is the best thing to alter it to my needs (in which case it seems that wp_check_password() and wp_hash_password() are the functions to change) -

Or any other plugins/ideas out there?

Thanks in advance
Question by:dosser
  • 7
  • 4

Expert Comment

ID: 36585894
The md5 is fine.

The problem is "the old site used a custom method" and unless you don't know which "custom method" of hashing, you will not be able to reuse the old passwords.

So even with md5 no one will be able to login with its old password.
Everybody must change its password or changing password using the old one. But this step is necessary.

Or you are lucky and the old one was md5 :-)


Author Comment

ID: 36585972
Thanks for the response. I do know what the old method was and so can replicate it, but I've discovered another problem. The old method used a combination of username and password, and generated a hash based on that (bit more complicated because of strrev and adding dates etc but that is the general idea). If it was just the password, I could drop the old method into wp_hash_password/wp_check_password but that only accepts ($password) as an argument (i.e. not $username as well which I would need). For changing the password once a user is already logged in, I can use the username variable form 'global $current_user'. But how can I get round it from a login or register perspective? I need some way to access the $_POST variables but don't want to have to go through the entirety of the wordpress changing each instance of wp_hash_password/wp_check_password

Author Comment

ID: 36586172
One easy way would be to be able to access $_POST variables in pluggable.php. Anyone know if that is possible?
LVL 70

Expert Comment

by:Jason C. Levine
ID: 36588281
>> I could drop the old method into wp_hash_password/wp_check_password but that only accepts ($password) as an argument (i.e. not
>> $username as well which I would need).

Couldn't you combine $password and $username outside of wp_hash_password() to a new variable and then push it through?

Also, if you can somehow get a MD5 version of the password, you can put that directly into the password field in wp-users and it will work...

Author Comment

ID: 36588340
Problem is that there are so many places the wp_hash_password is used that it is unrealistic to sift through the code and find them all, hence a way of grabbing the $_POST variables would be much easier
LVL 70

Expert Comment

by:Jason C. Levine
ID: 36588621
Sorry, maybe I am misunderstanding what you are trying to do.  

My read of this is you only need to import your users into the wp-users table but preserving the password.  If you can create a hash of the password that wordpress will understand (either MD5 or using wp_hash_password()) you can then import your users straight into the wp-users tables and be done with it.  Correct me if I am misreading your need.

The following script is what I use (albeit when I get a new client they tended to not have hashed passwords), perhaps it gives you a starting point:

include 'wp-blog-header.php';
include 'wp-includes/registration.php';
include 'wp-includes/pluggable.php';
//ini_set("max_execution_time", "240");
global $wpdb;

<h1>WordPress External User Import</h1>

// MySQL connection string and query

$connection = mysql_connect("servername", "username", "password") or die("Unable to connect to MySQL");
mysql_select_db("databse", $connection) or die("Unable to connect to the database");
$result = mysql_query("SELECT * FROM tabletoimportfrom;");

// Loop through the users

	while ($row = mysql_fetch_object($result)) {
		echo "<strong>ID:</strong>".$row->id." <strong>login:</strong>".$row->user_name." <strong>password:</strong> ".$row->password." <strong>e-mail:</strong>".$row->email_address." <strong>name:</strong> ".$row->name." <strong>surname:</strong> ".$row->surname."<br/>";

/* Make sure you add an ID columns to trick WP.  This is important to do.  Pick the next id from WP users and manually increment in the source table if you have to */

// Import to wp-users

		$add_id = 'INSERT INTO '.$wpdb->users.' (id, user_login) VALUES ("'. $row->id. '","'.$row->user_name.'" ); ';
        	mysql_query($add_id) or die(mysql_error());

// Use internal WP function to flesh out the user record.

		$userdata = array(
		 'ID' => $row->id,
		 'user_login' => $row->user_name,
		 'user_pass' => wp_hash_password($row->password),
		 'user_nicename' => $row->name." ".$row->surname,
		 'user_email' => $row->email_address,
		 'first_name'  => $row->name,
		 'last_name'  => $row->surname,
		 'role' => 'subscriber'
		wp_insert_user($userdata) ;

// Clean up


Open in new window

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.


Author Comment

ID: 36588709
Sorry, not explaining myself very well. The old database of existing users already stores passwords as hashed values (i.e. not plain text). I have no way of retrieving the plain text versions. I now see that simply changing the method of the hash is easy (e.g. that MD5 plugin I initially quoted). The problem is the way the old system hashed its passwords - i.e. by combining username and password (and some other stuff) means that I need to get the username value of any $_POST form as well as the password. The method wp_hash_password only accepts one variable ($password) and I need both password and username to be passed. In a simple case, just combining both together (e.g. $password.$username) would be fine - but because of the complexity of Wordpress, there are lots and lots of places that I would need combine these two. Hence, I wonder if there was a way to retrieve the $_POST variables from pluggable.php (where wp_check_password and wp_hash_password are found)
LVL 70

Expert Comment

by:Jason C. Levine
ID: 36588948
>> In a simple case, just combining both together (e.g. $password.$username) would be fine - but because of the complexity of Wordpress,
>> there are lots and lots of places that I would need combine these two.

This is where I am not understanding the flow.  In theory, you only need to do it once...during the import to wp-users.  

Author Comment

ID: 36589099
Think of it this way - if my password was $'myPass', username was '$myUser' then the actual password string stored in the database is NOT $myPass but is more like md5($myPass.$myUser.$otherStuff) i.e. a long string (e.g. $hashPass)

Hence, to match $hashPass, I would need both $myPass and $myUser

Author Comment

ID: 36589135
And just to clarify, in the database, I have the contents of $myUser (which is the username) but NOT $myPass (the plain text password)
LVL 70

Accepted Solution

Jason C. Levine earned 500 total points
ID: 36589234
I'm starting to wonder if your best course of action would be to write a plugin that continues to use the original custom hash and override wp_hash_password() and wp_get_password() completely...

However, you should be able to grab the values inside of pluggable.php.  So long as the forms are posted from within WordPress the variables should be available for use.  Where you get into trouble is dealing with forms posted outside of WordPress and trying to carry those variables in.

Author Closing Comment

ID: 36591047
Jason, have realised after much thought that I can actually get the variable info I need (from wp_check_password via $user_id). From that, I can successfully match the old hash type and then convert it to the proper wordpress one via matching the string length (as in the MD5 plugin above), Thanks for putting me on the right track, and will try out your code for the bulk importing above.

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

How to install BuddyPress on your self-hosted WordPress site It’s been called everything from “social networking in a box” to “Facebook without the terms of service,” but until Feb. 16, BuddyPress was a relatively unknown outside the WordPress MU…
Wordpress Horizontal Drop-Down Menu In this tutorial I will show you had to add a WordPress horizontal navigation menu to your theme. I have searched and searched for a good tutorial on creating a WordPress nav menu without adding a plug-in or us…
The purpose of this video is to demonstrate how to automatically show related posts at the bottom of a blog post in WordPress. This will be demonstrated using a Windows 8 PC. Plugin “Yet Another Related Posts Plugin” will be used. Go to your…
The purpose of this video is to demonstrate how to reset a WordPress password if you are locked out and cannot reset the password. A typical use would be if you cannot access the email to which WordPress would send the password recovery email to…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now