Encrypt WordPress User passwords using SQL rather than PHP?

  • Hi,

    I want to replicate the way WordPress encrypts a password for a new user (wp_user.user_pass) in WordPress 2.7.1.

    However, I want to encrypt the password in SQL code inserting into MySQL rather than through PHP. This is so that I can bypass the WordPress Admin/Dashboard section to create new users, instead creating new users through a SQL Insert statement into the WordPress MySQL database.

    I believe that WordPress 2.5+ onwards uses ‘Salted Passwords’ using the PasswordHash PHP class (https://www.openwall.com/phpass/) to store passwords. I have also found the mod_auth_mysql Apache module (https://modauthmysql.sourceforge.net/) but neither of these appear to have any SQL code directly or suit my problem exactly.

    Does anyone know how to encrypt passwords for new WordPress Users in a SQL INSERT or UPDATE statement that replicates the way WordPress encrypts passwords using PHP?

    Cheers,

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hi,

    You can use md5() or AES_ENCRYPT function in your query to encrypt the password and store it..

    like:

    INSERT INTO usertable ( First_Name, Last_Name, Phone, BirthDate, Password ) VALUES ( '...', '...', '...', '......', AES_ENCRYPT ( 'mypassword', 'seSy78910' ) );

    Thanks,

    Shane G.

    Thread Starter renwickcentre

    (@renwickcentre)

    Hi Shane,

    I thought MD5 hashing for WordPress passwords was depracated and not recommended since 2.5?

    And if I do use AES_ENCRYPT how will WordPress know how to decrypt the password for each user if it doesn’t have the secret key (the ‘key_str’ parameter) that I pass to AES_ENCRYPT when I encrypt the password?

    Cheers,

    I am actually looking to do exactly the same thing as renwickcentre, and the md5 suggestion doesn’t work.

    I am still digging…

    I am using 2.8.4 and I was able to use MD5 to create a password. I was surprised since I too thought salting was needed.

    I used this code:

    UPDATE wp_users SET user_pass = MD5(‘THE_PASSWORD’) WHERE wp_users.user_login =’THE_USERNAME’ LIMIT 1;

    I was also able to insert a user into the table using similar code. But is also important to create an entry into the wp_usermeta table with the correct information. I simply use a query to copy from a working user record since I am too lazy to figure out all of the meaning behind the records:

    insert into wp_usermeta
    (
    user_id,
    meta_key,
    meta_value
    )
    select 3 as x, meta_key, meta_value
    from wp_usermeta
    where user_id=2

    Ya, I’m not sure why, but inserting the MD5 password via mysql doesn’t work.

    I did play around with using the wp_hash_password() function to try to hash the password, and I do get a hash that looks right, but I may be missing a piece of the puzzle, because I get multiple hashes for the same password.

    I know there is a random number used in the encryption process, but i’m not sure how that fits into the big picture.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Encrypt WordPress User passwords using SQL rather than PHP?’ is closed to new replies.