WordPress Generate Password / Hash Password

A while back I had to migrate a legacy application’s user information into a WordPress MU application, transferring user accounts from the old platform to the new.

I needed to figure out a way to create 10,000+ WP users based on the old information. The old application stored the user passwords in clear/plain text, WP one-way encrypts passwords. Turns out its pretty easy to create the necessary data in wp_users and wp_usermeta, if you can figure out how to hash the password so WP understands everything.

The code below is a sort-of test harness that shows how to update an existing WP user and set their password to a known value.


# get the new user password
$password = 'foo';
# find the user's WP id (wp_users.ID)
$user_id = 1;

change_user_password($password, $user_id);

function change_user_password($password=false, $user_id)
    $wp_hasher = new PasswordHash(8, TRUE);    
    $password = $wp_hasher->HashPassword($password);
    if(is_numeric($user_id)) {
        $sql = "UPDATE wp_users SET user_pass = '$password' WHERE ID = $user_id LIMIT 1;";
        # then connect to the DB and execute mysql_query($sql)

19 thoughts on “WordPress Generate Password / Hash Password

  1. Thanks for your code. But it is changing when i refreshing the page.Then how could i compare it for user authentication?. Please explain…

    • @raja

      If the user supplies a password for authentication and you store it in $pass:

      $wp_hasher = new PasswordHash(8, TRUE);
      $password = $wp_hasher->HashPassword($pass);

      Then query the wp_users table to make sure that wp_users.user_pass== $password

  2. This script saved my skin. Thanks a bunch. I had to echo the hash and put it in manually in phpmyadmin but that is cause i didn’t uncomment the mysql_query till after I got the echo working…

    Thanks again

  3. I have a problem. I want to use this hash on Moodle. But when I use this:

    $wp_hasher = new PasswordHash(8, TRUE);
    $password = $wp_hasher->HashPassword($extpassword);

    It generates different hashes every time, so it can’t compare with the one on wp_users.

    Could you help me please?

  4. @Felipe it generates different hashed values each time but the internal wp authentication functions work nicely with it. Try it out. register a test user with a password ‘foo123’. Using the code above generate a hashed password for ‘bar456’. update the user’s wp password in the database via sql to the hashed value you created for ‘bar456’. Try logging in with ‘foo123’ and then with ‘bar456’. original password fails, second one works.

  5. Thanks for the anwser. Now I see that. But how can I compare a stored hash with a hash generated at a login attempt? I’m using this on my Moodle plugin:

    if($wp_hasher->CheckPassword($password, $(db user_pass))) return true;

    But this is not working.

  6. when i edit
    $wp_hasher = new PasswordHash(8, TRUE);
    $password2 = $wp_hasher->HashPassword($extpassword);

    echo “”;
    echo $wp_hasher;
    echo “”;
    echo $password2;

    i have this message

    Catchable fatal error: Object of class PasswordHash could not be converted to string in /public_html/site_test/test.php on line 33

  7. This seems like exactly what I need. But I’m a little confused as how to execute this.

    Here’s where I’m at:

    I’ve converted the table structure of the old databas to match wp_users. And like you, I have all the passwords as plain text.

    I’m a litttle confused where I run the script you wrote?

    Thanks in advace!

  8. @Berry

    (After you backup your database)

    If you want to hash all of the passwords in your new wp_users table so WP understands them you’ll want to do something along these lines:

    – Create an update php script that can SELECT and UPDATE your wp_users table.

    – Select all the users, move it into a PHP array, loop over the array and call the function once per row, passing in the ID and plain text password.

    HTH, good luck

  9. Hello,
    I Use this function wp_hash_password($pass) to encrypt plain password before comparing it with database one.

    It doesn’t seems to work… Md5 is also not working…

    Pls… Help me.

  10. What is the procedure to do the Password Authentication for Has Password.

    I need a real help, please od it for and its urgent.

  11. Hello,

    There was a simple way, just update the wp_users tables user_pass field with md5(plain_text), ie; md5() of the users password. When the user login to there wp account, the password in the database will get updated to a wp hashed form…
    I tried it for admin user only, about other (registered users), i dont know. Try it..
    No need to include any wp files and all.

    mysql_query(“UPDATE wp_users SET user_pass=MD5($plain_password)) WHERE ID=$user_id”);


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s