Geek Answers Handbook

How do you import members from another system into Wordpress and update passwords to make them work?

Our current system (not using Wordpress) has 1000 users that we need to transfer to Wordpress. The problem we are facing is that passwords cannot remain the same.

In our current system, passwords are saved using:

md5( md5( $password ) . USER_SALT ); // USER_SALT is a defined constant

Not the best, but not the worst ...

We need to make these password hashes that we are currently working in WP. Is there a way to start all new passwords using this setting, and then through WP's own hashing?

I know that you can connect to the following functions:

 function my_hash_password($password){ return md5( md5( $password ) . USER_SALT ); } add_action('wp_hash_password', 'my_hash_password' );

For some reason this does not fully work.

Of course, someone else has already gone through this before.

Thanks.

CHANGE !!!!

There is still some confusion. I DO NOT ask not to hashed the hashed password that we have. I say that with our current system, passwords look like this:

 Password: password Hash function: md5( md5( $password ) . USER_SALT ); Output: d372f9c033e9c358b111ff265e080d3a

I want to "possibly" be able to take the hash above and pass it to my own WP WP hash, so that:

 d372f9c033e9c358b111ff265e080d3a

becomes ...

 $P$BdrwxndTzgTVHUozGpQ9TEMYd6mpTw0

after he fulfills his function.

Then, when the user logs in, we send our plain text password back through our function, and then through WP to get the match.

////////////////////////

UPDATE !!!

///////////////////////

Trying to override the wp_check_password function that connects to WP, but for some reason it does not work.

 function my_check_password($password, $hash, $user_id = '') { global $wp_hasher; if ( $hash == md5( md5( $password ) . USER_SALT ) ){ if ( $user_id ) { $check = true; wp_set_password($password, $user_id); $hash = wp_hash_password($password); } return apply_filters( 'check_password', $check, $password, $hash, $user_id ); } // If the hash is still md5... elseif ( strlen($hash) <= 32 ) { $check = hash_equals( $hash, md5( $password ) ); if ( $check && $user_id ) { // Rehash using new hash. wp_set_password($password, $user_id); $hash = wp_hash_password($password); } return apply_filters( 'check_password', $check, $password, $hash, $user_id ); } // If the stored hash is longer than an MD5, presume the // new style phpass portable hash. if ( empty($wp_hasher) ) { require_once( ABSPATH . WPINC . '/class-phpass.php'); // By default, use the portable hash from phpass $wp_hasher = new PasswordHash(8, true); } $check = $wp_hasher->CheckPassword($password, $hash); /** This filter is documented in wp-includes/pluggable.php */ return apply_filters( 'check_password', $check, $password, $hash, $user_id ); } add_action('wp_check_password', 'my_check_password' );

Does anyone have any ideas?

+5
source share
4 answers

The easiest way to do this is to create a plugin. You cannot completely redefine a WP function without creating a plugin with functionality. Functions that you can completely override are in the "pluggable.php" file. Which should be self-evident that you need to create a β€œplugin” to override them.

All I had to do was create a simple plugin:

  • Add directory to plugins: / plugins / my-password-updater

  • Add the plugin file:

     /* Plugin Name: My Password Updater Plugin URI: Your Website Description: Checks both new and old passwords and updates old passwords Version: 0.0.1 Author: Your Name Author URI: License: */ if( ! function_exists( 'wp_check_password' ) ){ function wp_check_password($password, $hash, $user_id = '') { global $wp_hasher; // Put whatever code from your old password hash check here // In my case it was the following... if ( $hash == md5( md5( $password ) . 'MY USER SALT' ) ){ if ( $user_id ) { $check = true; wp_set_password($password, $user_id); $hash = wp_hash_password($password); } return apply_filters( 'check_password', $check, $password, $hash, $user_id ); } // The code below is from the original function elseif ( strlen($hash) <= 32 ) { $check = hash_equals( $hash, md5( $password ) ); if ( $check && $user_id ) { wp_set_password($password, $user_id); $hash = wp_hash_password($password); } return apply_filters( 'check_password', $check, $password, $hash, $user_id ); } if ( empty($wp_hasher) ) { require_once( ABSPATH . WPINC . '/class-phpass.php'); $wp_hasher = new PasswordHash(8, true); } $check = $wp_hasher->CheckPassword($password, $hash); return apply_filters( 'check_password', $check, $password, $hash, $user_id ); } }
+1
source

This is not verified, so I can’t be sure that it will work, but if USER_SALT is the same constant as you showed above, you should leave this as a plugin on your site, and users should be able to verify the use of either the old hash , or the default wordpress hash. Remember to set up OLD_SALT.

 <? /* Plugin Name: Dual Password Checker Plugin URI: http://tapy.com Description: Checks passwords both with the wordpress hash and your old has Version: 0.0.1 Author: tapy.com Author URI: http://tapy.com License: keep copyright in tact please */ require_once(ABSPATH . 'wp-includes/class-phpass.php'); class PasswordHashCustom extends PasswordHash{ function CheckPassword($password, $stored_hash){ return parent::CheckPassword($password, $stored_hash) || md5(md5($password) . '56789') === $stored_hash; } } $wp_hasher = new PasswordHashCustom(8, TRUE); ?>
+1
source

I have not tested this, but in inc / wp-phpass.php in the wordpress directory

 function crypt_private($password, $setting) { $output = '*0'; if (substr($setting, 0, 2) == $output) $output = '*1'; $id = substr($setting, 0, 3); # We use "$P$", phpBB3 uses "$H$" for the same thing if ($id != '$P$' && $id != '$H$') return $output; $count_log2 = strpos($this->itoa64, $setting[3]); if ($count_log2 < 7 || $count_log2 > 30) return $output; $count = 1 << $count_log2; $salt = substr($setting, 4, 8); if (strlen($salt) != 8) return $output; # We're kind of forced to use MD5 here since it the only # cryptographic primitive available in all versions of PHP # currently in use. To implement our own low-level crypto # in PHP would result in much worse performance and # consequently in lower iteration counts and hashes that are # quicker to crack (by non-PHP code). if (PHP_VERSION >= '5') { $hash = md5($salt . $password, TRUE); do { $hash = md5($hash . $password, TRUE); } while (--$count); } else { $hash = pack('H*', md5($salt . $password)); do { $hash = pack('H*', md5($hash . $password)); } while (--$count); } $output = substr($setting, 0, 12); $output .= $this->encode64($hash, 16); return $output; }

since you can see that they use simple md5 for the password, you can change this to your own logic, CAUTION! you have to manually change this every time WordPress updates this file: / Not the best solution, but I hope this helps you

+1
source

Using check_filter should work. Here I wrote to import PBKDF2 SHA256 hashes in the format that Django uses:

 add_filter( 'check_password', function( $check, $password, $hash, $user_id ) { /* Just to be safe, since I'm not a security expert, I don't want the * Django hash fallback to work for administrators. They will need to * reset their password the normal way. */ $user = get_userdata( $user_id ); if ( empty( $user ) || in_array( 'administrator', $user->roles ) ) { return $check; } /* * Example Django hash for password "school bus": * * pbkdf2_sha256$100000$BbirbJq1C1G7$IcYmssO2bsILHcTCzLxPs/YmVGNmKb3cSt2JWzVzP2I= * */ $rv = preg_match( '/^pbkdf2_sha256\$([0-9]+)\$(.+)\$(.+)$/', $hash, $matches ); if ($rv === 1) { $iterations = intval( $matches[1] ); $salt = $matches[2]; $expected_base64_hash = $matches[3]; $got_base64_hash = base64_encode( hash_pbkdf2( "sha256", $password, $salt, $iterations, 0, true ) ); if ( $expected_base64_hash === $got_base64_hash ) { /* Save the password in WordPress default format, so that we * can turn this plugin off some day. */ wp_set_password( $password, $user_id ); return true; } else { return false; } } elseif ( $rv === 0 ) { return $check; } else { error_log( "An error occurred with the regex in " . __FUNCTION__ . " " . __FILE__ ); return $check; } }, 10, 4 );
0
source

More articles:


All Articles