I am currently moving from a custom platform to WordPress.

I don't believe there is anyway to migrate passwords from our current site due to encryption.

User will be emailed to reset their password once we launch the new site, but from past data, I know a majority of users will ignore this email.

My thought was to trigger the password reset automatically when the user tries to login. I was going to use the "Expire Passwords" plugin, but it seems that you need to enter your correct password for the reset password action to trigger.

Any suggestions on how to solve this problem? Thank you for your time and help. Cheers

I am currently moving from a custom platform to WordPress.

I don't believe there is anyway to migrate passwords from our current site due to encryption.

User will be emailed to reset their password once we launch the new site, but from past data, I know a majority of users will ignore this email.

My thought was to trigger the password reset automatically when the user tries to login. I was going to use the "Expire Passwords" plugin, but it seems that you need to enter your correct password for the reset password action to trigger.

Any suggestions on how to solve this problem? Thank you for your time and help. Cheers

• migration
• password

Share Improve this question edited May 22, 2019 at 22:14 butlerblog 5,13133 gold badges2828 silver badges4444 bronze badges asked May 22, 2019 at 21:53 LuckLuck 1111 bronze badge 2

• have you considered flagging all users with a user meta value that tells them to check their email when they try to login, then clearing that when they reset their password? Keep in mind that 3rd party plugins such as the expire passwords plugin are offtopic here and could result in your question being closed as offtopic – Tom J Nowell ♦ Commented May 23, 2019 at 0:16
• How does the current custom platform hash the passwords? Is it a PHP application that uses the native password_hash() function? – Derek Held Commented May 23, 2019 at 1:03

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 1

I don't believe there is anyway to migrate passwords from our current site due to encryption.

I wouldn't necessarily rule that out. While WP uses PHPass as its regular hash for passwords, it still supports MD5 which was the original hash.

If a password is an MD5 hash, it will be updated to the new hash when the user logs in.

If your existing site's passwords are MD5 hashed, or if they can be converted to MD5, then you may be able to migrate your passwords.

If your current platform is on PHP and uses password_hash() to create hashed passwords then you can use a plugin like password-bcrypt or PHP Native Password Hash. Personally I'd recommend the latter as the plugin also supports Argon2 which is stronger than bcrypt. If you instead use crypt() to create bcrypt hashed passwords then it likely already works with WordPress without further effort on your part. In either case you could simply copy over all the hashed passwords for your users into your WordPress database and everyone should be able to log in with their existing passwords.

Now if you still want to force a password reset you could always do so by setting new, random passwords for all your users with a script. They won't be able to log in and they will be forced to go through the reset process. In PHP 7+ for each user you could do something like:

$db = new mysqli('dbhost', 'dbuser', 'dbpass', 'dbname');
// Get array $userList with all usernames from DB or somewhere else
foreach ( $userList as $user ) {
    $hashed = password_hash( random_bytes(16) );
    $db->query( 'update wp_users set user_pass='.$hashed.' where user_login='.$user);
}
$db->close();

The default in PHP for password_hash() is to create a bcrypt hash and since the idea is to force a reset anyways I wouldn't bother trying to use a stronger algorithm. You would also be using random_bytes which is designed to create cryptographically secure random data.