Still Able to Log In After Plugin Removed
-
Hey Carl – thanks for this excellent plugin. I will be including it in the iThemes Plugin Roundup tomorrow (May 7, 2018).
One issue: in the plugin description you state:
The plugin will take care of converting it the next time that you log in after installing the plugin. If you decide to remove the plugin, you won’t be able to log in again without resetting your password.
Under these conditions, I was able to log back in without an issue. Wondering if bcrypt is actually working then?
-
Heya Nathan! Thanks for the interest!
I actually had to look this up because you’re right that it still works. As a note, you can easily see if a password is bcrypt encrypted. It’ll always start with
$2y$.The reason why this still works is because WordPress uses the
cryptfunction to validate passwords. Since PHP 5.3.7, it can validate bcrypt passwords. So if you had a bcrypt encoded password on an older version of PHP, you wouldn’t be able to log in.That said, if you reset the password after removing the plugin, you’ll see that bcrypt isn’t used anymore. So it’s working as intended. But you can still login after removing the plugin.
Since the plugin requires PHP 5.3.7, the scenario that I describe in the readme won’t happen. So I’ll remove the section you highlighted from the README. It just won’t show up until I release a new version.
Thanks again! Going to bed a bit smarter tonight ??
- The topic ‘Still Able to Log In After Plugin Removed’ is closed to new replies.
