Password encryption issue with Migration of Wordpress site to Wappler

nevil · June 23, 2020, 6:45pm

I am rebuilding a wordpress site from scratch using Wappler, and eventually I need the existing Wordpress users to be able to login with their same credentials. But I’m not really well versed in this area.

Wordpress uses an ecryption method called the “Portable PHP password hashing framework”, at least according to this topic.

http://scriptserver.mainframe8.com/wordpress_password_hasher.php

Is this method available as a decryption method in Wappler? If not, how does anyone suggest setting this up?

Thank you for borrowing your brains!

max_gb · June 23, 2020, 9:52pm

This may not solve your question but in past cases of porting users to a different platform would involve me transferring all user data over to the new database, and then running a bulk update on the user password field to a random string.

When they next login their password is shown as incorrect and are asked to change their password, usually through the standard password reset function. The new password is then saved to the new database.

I am transparent with the user in that their data is being moved to a new platform and that their previous password is not retrievable. This also proves a point that you are securely storing user passwords in the database.

sitestreet · June 23, 2020, 10:26pm

Wordpress also uses a salt in the password encryption so I tend to do the same as @max_gb. I’ll put a message on the login screen saying all passwords have been reset and linking them to a reset password page where they enter their email address and get a new one sent to them, or a link where they can set their own.

Hyperbytes · June 24, 2020, 8:34am

If I recall correctly Wordpress uses MD5 encryption (which is not terrible secure)

The salts can be found in the wp-config.php file in the root directory of your installation. You will see something like this:

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'LA4pEuC6IWcV9EjAyzi3FCyXBUeKURhPi3wbMcD5RHv4jBZFXWbb2km7FtydjLV3');
define('SECURE_AUTH_KEY',  '2UL3b5e0sFgefRtHW40K2jcg3kTshdRvNhV8mRES3twA00U57qKCrF6c0GIGmQ1S');
define('LOGGED_IN_KEY',    'pGBxMNbsVGq8NvHxNRthhyeFXgONMjLFunOC9nNKAz7UxLIpE87zE6FtrpjH6m0X');
define('NONCE_KEY',        'L9TjZqlA0vRJNLpy5o43uckmiumgQ2Awyzb2EOb32Zq08bOTvBTqmVjxidmm9eUd');
define('AUTH_SALT',        '7al1GNnKsVMkTQZa1T08Y0QqJPnEx6RqGSZtfnlxlZehFAoNnlpomeTtRTYiDnP8');
define('SECURE_AUTH_SALT', 'w9wRLYZvPqY7t1Oxd6ylpRmPPon9aMOMSOD0GuiZFbd20QsrxER5HkO6cNNj2zYn');
define('LOGGED_IN_SALT',   'iqzHyAgX98Zed0A6qyxtwxGvV2PImFgtEgV32xQr2mHBscYoq0aiGRHHDJEBWmXb');
define('NONCE_SALT',       'eYvJ2L5yv3we9xJXeMEkiH1EdXf51bUPWO9Iy0aggdXab1hrTkXtFGTv8kmzFEcr');

I have never actually tried to do what you are looking to do but sure it wont be too difficult to work out which salt to use and when

patrick · June 24, 2020, 9:35am

Wordpress can store password on different ways, in the early versions it was simply md5 and since 2.5 they started using the Portable PHP password hashing framework (phpass). It is also possible to have better encryption using plugins.

If it uses the default phpass hashing then the string starts with $P$ . You could create a custom formatter which can verify these password and after a user logged in with it store the password with a new encryption.

sitestreet · June 24, 2020, 11:06am

I’ve found using a Wordpress password outside of Wordpress is a real pain so just go for the ‘reset password’ option when migrating from Wordpress.