Hi, i’m working now on new site, that will substitute old one but with imported articles, comments, users etc. In old page are passwords stored as MD5 hashes. I want to leave this passwords, because i don’t want to force user to reset password, but i don’t want to have MD5 hashed password in my users table (i’m using bcrypt). So i created this filter:
/**
* MD5 hashed passwords in users table are not secure enought, but it's fine to have possibility insert some recovery
* password directly in DB. This function will check, if inserted password is correct, and after verification
* it will hash password with WP hash algorithm and insert as user's password.
*
* @param $check
* @param $password
* @param $hash
* @param $userId
* @return bool
*/
function md5_password_fix( $check, $password, $hash, $userId ) {
if(!$check) {
if(strlen($hash) == 32 && md5($password) == $hash ) {
global $wp_hasher, $wpdb;
if (empty($wp_hasher)) {
require_once(ABSPATH . WPINC . '/class-phpass.php');
$wp_hasher = new \PasswordHash(8, true);
}
$hashed_password = $wp_hasher->HashPassword($password);
$wpdb->update( $wpdb->users, array( 'user_pass' => esc_sql($hashed_password) ), array( 'ID' => $userId ));
$check = true;
}
}
return $check;
}
add_filter( 'check_password', __NAMESPACE__ . NAMESPACE_SEPARATOR .'md5_password_fix', 10, 4 );
By first login it will automatically check that password, if it’s correct, will convert it and save. My question is - is my solution safe? Thx