Roots Discourse

Filter that will convert MD5 hashed password after login

Hi, i’m working now on new site, that will substitute old one but with imported articles, comments, users etc. In old page are passwords stored as MD5 hashes. I want to leave this passwords, because i don’t want to force user to reset password, but i don’t want to have MD5 hashed password in my users table (i’m using bcrypt). So i created this filter:

/**
 * MD5 hashed passwords in users table are not secure enought, but it's fine to have possibility insert some recovery
 * password directly in DB. This function will check, if inserted password is correct, and after verification
 * it will hash password with WP hash algorithm and insert as user's password.
 *
 * @param $check
 * @param $password
 * @param $hash
 * @param $userId
 * @return bool
 */
function md5_password_fix( $check, $password, $hash, $userId ) {

  if(!$check) {
    if(strlen($hash) == 32 && md5($password) == $hash ) {
      global $wp_hasher, $wpdb;

      if (empty($wp_hasher)) {
        require_once(ABSPATH . WPINC . '/class-phpass.php');
        $wp_hasher = new \PasswordHash(8, true);
      }

      $hashed_password = $wp_hasher->HashPassword($password);
      $wpdb->update( $wpdb->users, array( 'user_pass' => esc_sql($hashed_password) ), array( 'ID' => $userId ));
      $check = true;
    }
  }
  return $check;
}
add_filter( 'check_password', __NAMESPACE__ . NAMESPACE_SEPARATOR .'md5_password_fix', 10, 4 );

By first login it will automatically check that password, if it’s correct, will convert it and save. My question is - is my solution safe? Thx