WordPress Development: Working with Password Hashes

$P$B1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t1u2v3w4x5y6z7

Components:
$P$      - Hash identifier (phpass)
B        - Cost parameter (8 = 2^8 iterations)
1a2b3c4d - Salt (first 8 characters after cost)
5e6f7... - The actual password hash

<?php
// Example hash breakdown
$hash = '$P$B1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t1u2v3w4x5y6z7';

// Extract components
$algorithm = substr($hash, 0, 3);  // '$P$'
$cost = substr($hash, 3, 1);        // 'B' (11 iterations = 2048 rounds)
$salt = substr($hash, 4, 8);        // '1a2b3c4d'
$hash_value = substr($hash, 12);    // '5e6f7...'

echo "Algorithm: {$algorithm}\n";
echo "Cost: {$cost} (". (1 << strpos('./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz', $cost)) ." rounds)\n";
echo "Salt: {$salt}\n";
?>

<?php
// Generate password hash
require_once ABSPATH . 'wp-includes/class-phpass.php';

$password = 'MySecurePassword123!';
$hasher = new PasswordHash(8, true);
$hash = $hasher->HashPassword($password);

echo "Generated Hash: " . $hash;

// Or use WordPress function
$hash = wp_hash_password($password);
echo "WP Hash: " . $hash;
?>

<?php
// Recommended way to update user password
$user_id = 1;
$new_password = 'NewSecurePassword456!';

// This updates password and clears cookies
wp_set_password($new_password, $user_id);

// Alternative: Update user data
wp_update_user([
    'ID' => $user_id,
    'user_pass' => $new_password
]);

echo "Password updated for user ID: " . $user_id;
?>

<?php
// Verify password against hash
$password = 'MyPassword123!';
$hash = '$P$B1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t1u2v3w4x5y6z7';

// Using WordPress function
if (wp_check_password($password, $hash)) {
    echo "Password is correct!";
} else {
    echo "Password is incorrect!";
}

// Or use wp_authenticate
$user = wp_authenticate('username', $password);
if (is_wp_error($user)) {
    echo "Authentication failed: " . $user->get_error_message();
} else {
    echo "User authenticated successfully!";
}
?>

<?php
// Standalone hash generation (outside WordPress)
class WPPasswordHasher {
    private $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

    public function hashPassword($password) {
        $random = $this->getRandomBytes(6);
        $hash = $this->crypt($password, $this->generateSalt($random));
        return $hash;
    }

    private function generateSalt($input) {
        $output = '$P$';
        $output .= $this->itoa64[8]; // Cost parameter
        $output .= $this->encode64($input, 6);
        return $output;
    }

    private function getRandomBytes($count) {
        return random_bytes($count);
    }

    private function encode64($input, $count) {
        $output = '';
        $i = 0;
        do {
            $value = ord($input[$i++]);
            $output .= $this->itoa64[$value & 0x3f];
            if ($i < $count)
                $value |= ord($input[$i]) << 8;
            $output .= $this->itoa64[($value >> 6) & 0x3f];
            if ($i++ >= $count)
                break;
            if ($i < $count)
                $value |= ord($input[$i]) << 16;
            $output .= $this->itoa64[($value >> 12) & 0x3f];
            if ($i++ >= $count)
                break;
            $output .= $this->itoa64[($value >> 18) & 0x3f];
        } while ($i < $count);
        return $output;
    }

    private function crypt($password, $setting) {
        return crypt($password, $setting);
    }
}

$hasher = new WPPasswordHasher();
$hash = $hasher->hashPassword('MyPassword123!');
echo $hash;
?>

-- EMERGENCY ONLY: Temporary MD5 password reset
-- This allows immediate access but is NOT secure for permanent use

UPDATE wp_users
SET user_pass = MD5('temporary_password_123')
WHERE user_login = 'admin';

-- After logging in, IMMEDIATELY change password via WordPress admin
-- WordPress will automatically convert to proper hash

<?php
// Generate proper WordPress hash for database update
$password = 'NewSecurePassword789!';

// Using command line PHP
$command = "php -r "require_once 'wp-load.php'; echo wp_hash_password('{$password}');"";
$hash = shell_exec($command);

// Or use online generator: /wordpress-password-hash

echo "Generated Hash: " . trim($hash);
// Output: $P$BXx7y8z9...
?>

-- Update password with proper WordPress hash
UPDATE wp_users
SET user_pass = '$P$BXx7y8z9a0b1c2d3e4f5g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v1w2'
WHERE user_login = 'admin';

-- Or by user ID
UPDATE wp_users
SET user_pass = '$P$BXx7y8z9a0b1c2d3e4f5g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v1w2'
WHERE ID = 1;

-- Verify the update
SELECT user_login, user_pass
FROM wp_users
WHERE user_login = 'admin';

-- Export users with password hashes for migration
SELECT
    ID,
    user_login,
    user_pass,
    user_email,
    user_nicename,
    display_name,
    user_registered
FROM wp_users
INTO OUTFILE '/tmp/users_export.csv'
FIELDS TERMINATED BY ','
ENCLOSED BY '"'
LINES TERMINATED BY '\n';

<?php
// Import users preserving password hashes
function import_users_with_hashes($csv_file) {
    global $wpdb;

    $file = fopen($csv_file, 'r');
    $imported = 0;

    while (($data = fgetcsv($file)) !== FALSE) {
        list($id, $login, $pass, $email, $nicename, $display, $registered) = $data;

        // Check if user exists
        if (!username_exists($login) && !email_exists($email)) {
            // Insert user with existing hash
            $wpdb->insert(
                $wpdb->users,
                [
                    'user_login' => $login,
                    'user_pass' => $pass,  // Pre-hashed password
                    'user_email' => $email,
                    'user_nicename' => $nicename,
                    'display_name' => $display,
                    'user_registered' => $registered
                ]
            );
            $imported++;
        }
    }

    fclose($file);
    return $imported;
}

// Usage
$count = import_users_with_hashes('/path/to/users_export.csv');
echo "Imported {$count} users with preserved passwords";
?>

<?php
// ✅ CORRECT: Use WordPress functions
wp_set_password('NewPassword123!', $user_id);

// ✅ CORRECT: Generate hash properly
$hash = wp_hash_password('MyPassword456!');

// ✅ CORRECT: Verify passwords
if (wp_check_password($input_password, $stored_hash)) {
    // Grant access
}

// ❌ WRONG: Never use MD5 for permanent passwords
$hash = md5($password); // Insecure!

// ❌ WRONG: Never store plain text
update_user_meta($user_id, 'password', $password); // Very bad!

// ❌ WRONG: Never log passwords
error_log("User password: " . $password); // Security risk!

// ✅ CORRECT: Use wp_mail for password reset links
wp_mail($email, 'Password Reset', 'Click here: ' . $reset_link);
?>

# Reset user password via WP-CLI
wp user update admin --user_pass='NewSecurePassword'

# Generate random password
wp user update admin --user_pass="$(wp user generate-password)"

# Reset password and email to user
wp user reset-password admin --send-email

# List all users
wp user list

# Create new admin user
wp user create newadmin [email protected] --role=administrator --user_pass='SecurePass123!'