Our current system ( not using WordPress ) has 1000s of users that we need to port over to WordPress. The problem we’re running into is that the passwords can’t stay the same.
In our current system the passwords are saved with:
md5( md5( $password ) . USER_SALT ); // USER_SALT is a defined constant
Not the best obviously, but not the worst…
We need to make these password hashes that we currently have work in WP as well. Is there a way we can run all new passwords through this setup first and then through WPs own hashing?
I know you can hook into the functions like:
function my_hash_password($password){
return md5( md5( $password ) . USER_SALT );
}
add_action('wp_hash_password', 'my_hash_password' );
For some reason that’s not fully working either.
Surely somebody else has already gone through this before.
Thanks.
EDIT !!!!
So far there is some confusion. I am NOT asking no un-hash the hashed password that we have. What I am saying is that with our current system the passwords look like:
Password: password
Hash function: md5( md5( $password ) . USER_SALT );
Output: d372f9c033e9c358b111ff265e080d3a
I want to ‘maybe’ be able to take the hash above and feed it to the native WP password hasher so that:
d372f9c033e9c358b111ff265e080d3a
becomes…
$P$BdrwxndTzgTVHUozGpQ9TEMYd6mpTw0
after it goes through their function.
Then when a user logs in we send their plain text password back through our function and then through WPs to get a match.
UPDATE !!!
So following the advice from rarst below I’ve done this:
function my_check_password($password, $hash, $user_id = '') {
global $wp_hasher;
if ( $hash == md5( md5( $password ) . USER_SALT ) ){
if ( $user_id ) {
$check = true;
wp_set_password($password, $user_id);
$hash = wp_hash_password($password);
}
return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}
// If the hash is still md5...
elseif ( strlen($hash) <= 32 ) {
$check = hash_equals( $hash, md5( $password ) );
if ( $check && $user_id ) {
// Rehash using new hash.
wp_set_password($password, $user_id);
$hash = wp_hash_password($password);
}
return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}
// If the stored hash is longer than an MD5, presume the
// new style phpass portable hash.
if ( empty($wp_hasher) ) {
require_once( ABSPATH . WPINC . '/class-phpass.php');
// By default, use the portable hash from phpass
$wp_hasher = new PasswordHash(8, true);
}
$check = $wp_hasher->CheckPassword($password, $hash);
/** This filter is documented in wp-includes/pluggable.php */
return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}
add_action('wp_check_password', 'my_check_password' );
But this is still not working. What am I missing?