How do I transfer user passwords from one WordPress site to another?

by Dylan   Last Updated November 14, 2017 18:08 PM

Let me begin by saying I know this is generally advised against but I'm in a tough spot at work where this is essentially being demanded and to my understanding it's theoretically possible.

I am tasked with transferring all user data from one WordPress site to another, and one of the stipulations is nobody would have to set a new password.

I know there's no chance of dehashing the passwords but I read somewhere yesterday that if you use the same salts in wp-config.php then the passwords should work. I tried this and it didn't do the trick, but that may be due to some weird WPEngine caching or hidden setting, as does happen with them from time to time. What was especially weird is my old password still worked after I did this.

I also read that, in addition to the salts in wp-config.php, there are salts stored in the database somewhere that compliment or mirror the ones stored in wp-config.php. That part I don't quite understand and is probably the real question here. Where in the WordPress database are these salts stored?

Is there any hope of achieving this?



Answers 1


Yes and no

wp_salt is the function you're thinking of: https://core.trac.wordpress.org/browser/tags/4.8/src/wp-includes/pluggable.php#L1988

Your theory should be correct, copying the passwords over via SQL, and making sure all the salts are the same, then clearing cookies and trying to login, should do the trick.

However, if we look at the code in the function, there are filters that WP Engines code might hook into. If this is the case, they might have added site independent salts, which means what you ask for would be impossible to do. At this point you'd need to contact WP Engine support, but they're very likely to refuse to help on security grounds.

As for yourself, you shouldn't be doing this either, as it's irresponsible and unprofessional, and should refuse to do so, regardless of wether it's possible or not.

I also read that, in addition to the salts in wp-config.php, there are salts stored in the database somewhere that compliment or mirror the ones stored in wp-config.php. That part I don't quite understand and is probably the real question here. Where in the WordPress database are these salts stored?

I'm unaware of such a thing, and the implementation of wp_salt does not indicate such things. There is no evidence for it.

Alternatives That Make More Sense

Multisite

Why copy the users at all when you can put both sites in the same install and use the built in domain mapping?

SSO or Federated login

Use the first site as a single sign on to login to the new site. Similar to how you logged into this site with Google/Twitter/etc

Tom J Nowell
Tom J Nowell
November 14, 2017 17:59 PM

Related Questions



Site Redirecting to wp-signup.php

Updated August 24, 2017 11:08 AM

I can't update the siteurl or home url in wordpress

Updated August 12, 2017 22:08 PM


Switching Databases in LocalHost

Updated October 01, 2017 11:08 AM