5

I need to insert users into a Wordpress blog via a PHP script or MySQL, and I have a plain text password. I thought I could do something like this:

$query = "INSERT INTO $new_db.wp_users (user_login, user_pass, user_nicename)
select user_email, md5(user_password), user_name from $source_db.users";

But the passwords all look different from what the Wordpress passwords look like now. All the passwords all start with $P$B

From reading it says there is a salt... is there a way to take a password like test123 and turn it into the encrypted password that Wordpress expects?

Jonah
  • 9,991
  • 5
  • 45
  • 79
Matt Elhotiby
  • 43,028
  • 85
  • 218
  • 321
  • Have you looking inside the WordPress code to see how *they* encrypt the passwords? – John Parker Jan 20 '11 at 17:26
  • `$P$` prefix signals portable hash, in Wordpress historically (after MD5, not to be used at all for password hashing any longer) Phpass: http://www.openwall.com/phpass/ – hakre May 26 '18 at 21:05

5 Answers5

5

The most sensible solution would simply be to use the relevant WordPress function (wp_generate_password) itself.

However, if this isn't an option, you could simply extract the wp_generate_password function (it's in /wp-includes/pluggable.php) and relevant support functions.

John Parker
  • 54,048
  • 11
  • 129
  • 129
1

The easiest way to create the password is ...

  1. to use any rubbish as entry in the MySQL table for user_pass, but a correct email.
  2. Use the "forgot password" function in the login panel to generate a correct password (or activate this link automatically to notify the user).

Don't forget to copy a "wp_capabilities" and a "wp_user_level" from another account.

cat
  • 2,871
  • 1
  • 23
  • 28
1

Wordpress uses phpass hashing, which is different from MD5.

Alan Haggai Alavi
  • 72,802
  • 19
  • 102
  • 127
  • 1
    From the wp-includes/class-phpass.php file: # We're kind of forced to use MD5 here since it's the only # cryptographic primitive available in all versions of PHP # currently in use. To implement our own low-level crypto # in PHP would result in much worse performance and # consequently in lower iteration counts and hashes that are # quicker to crack (by non-PHP code). – Ivan Oct 30 '12 at 03:34
-1

This function will do what you described to transform the password:

<?
function encrypt_for_wordpress($plain_text_password) {
    return md5("\$P\$B" . $plain_text_password);
}

You'll need to select it from source_db, transform it in PHP, then insert it into new_db.

Kyle Wild
  • 8,845
  • 2
  • 36
  • 36
-1

WordPress used to use MD5 passwords, and still can. Setting the passwords as MD5 hashes should work fine. As each user logs in for the first time, WordPress will rehash their password based on the stronger security it now uses.

TRiG
  • 10,148
  • 7
  • 57
  • 107
  • This sounds more a comment (to one of the historic answers or the question) than a necro-bumping answer - but most not. just my 2 cents. – hakre May 26 '18 at 21:06
  • The OP knows how to create MD5 hashed passwords, but is concerned that they won't work because they don't look like WordPress passwords usually look. I am assuring him that they will work. I think that this answers their question. (On which answer did you think I was trying to comment?) – TRiG May 27 '18 at 12:05
  • When as comment, then perhaps for the accepted answer, so to hint MD5 still works (or even below the OP directly). And thanks for the OPsplaining, helped to see your reception laid out. Thanks for that, really appreceated. I personally really was more concerned about the time when this was asked, so just in case that was not so clear. – hakre May 27 '18 at 19:28