New users cannot login since WP 5.2.2 update

  • Hi there,

    I use an external database and a script to create the new users in WordPress simply by updating the wp_user and wp_usermeta tables. This has been working fine for months.
    For some reason, and I guess this is since the WP 5.2.2 automatic updated has been applied, the new created users that way cannot login anymore.
    They get an error message saying that the password doesn’t corresponds to the id.
    The only way to get this password working is to remove it and add it again using the WP dashboard.
    What has been changed in WP 5.2.2 to cause this behaviour ?
    Any idea someone ?

    • This topic was modified 5 years, 5 months ago by xtenz.
    • This topic was modified 5 years, 5 months ago by xtenz.
    • This topic was modified 5 years, 5 months ago by xtenz.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator bcworkz

    (@bcworkz)

    It sounds like the saved password hash is not in the proper format anymore. I don’t know if the acceptable formats have changed or not. If a stored WP password works but one from your script does not, wrong hash format is about the only conclusion one can draw. How are you hashing passwords? Or if you are simply passing along the hash unchanged, how were those hashes derived?

    Thread Starter xtenz

    (@xtenz)

    Thank you for replying.
    Yes this is exactly what I found out.
    Before 5.2.2 I was passing only plain text to the wp_user password field and it was encrypted immediately when filled. I don’t know what was doing this encryption. May be the database or WP itself. I don’t know.
    But now it is not encrypted at all anymore (unless I push the button in the dashboard) and this is why it doesn’t work.
    Now my problem is that my front end database is Filemaker and I do not have any tool to generate the correct hash within Filemaker.

    • This reply was modified 5 years, 5 months ago by xtenz.
    Moderator bcworkz

    (@bcworkz)

    Passing plain text of course is insecure. It’s conceivable that allowing for that has stopped in a tightening of security measures. You should be able to save a simple md5 hash even though it’s not really the correct WP hash format. WP reformats it on first use. The password data is going to need to be hashed somewhere along the line. If not in Filemaker, then some intervening script. If your import script runs within WP, you could use wp_hash_password() to correctly hash passwords. If external to WP, using PHP’s md5() or mySQL’s MD5() should be adequate.

    Thread Starter xtenz

    (@xtenz)

    I know plain text is not secure. BTW MD5 seems to be stopped too in WP.
    Filemaker has a function that returns hash strings (MD5, MDC2, SHA, SHA1, SHA224, SHA256, SHA384, SHA512). I tried all and no one is understood be WP.
    I.E for the passsword : 57tyFT14
    The WP returned hash string is : $P$BjXWCNSrWJIsYILUAstFYSZDL2WzGU/
    The FMP MD5 returned hash string is : A3424BD55371BC510F167F61A6897E68
    I tried to encode into Base64 with no result.
    The only hash string that worked for me has been is a Bcrypt hash string that I generated on a website online.
    But I have no function in FMP to create Bcrypt hashes.
    My import script is a FMP script then running an additional external python script or something else from within FMP would be difficult without a plugin … if exists.

    Moderator bcworkz

    (@bcworkz)

    I cannot comment on processes external to WP, it’s outside of my knowledge base. I do know that when I save a password directly to the DB through phpMyAdmin and use the editor’s MD5 function in saving, that I can then log in using such a saved password. So MD5 is indeed recognized in some form.

    How is the data actually entered into the DB? If SQL is used, you should be able to do something like INSERT INTO wp_users (ID, user_login, user_pass) VALUES (33, 'test', MD5( '1234' ));

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘New users cannot login since WP 5.2.2 update’ is closed to new replies.