Home » Wordpress » WordPress – Encrypt passwords of imported users

WordPress – Encrypt passwords of imported users

Posted by: admin November 30, 2017 Leave a comment


I am about to import about 10,000 users to my WordPress site from another CMS. Problem is, none of their passwords are going to work because they are not encrypted.

How do I encrypt all of these passwords quickly and in a way that WordPress will recognize and accept so that users can login?


As encryption and hashing are different stuff, I assume all these passwords are in plain text format. In this case, all you have to do is to apply the md5 algorithm on them.

You can do it from a SQL or a PHP importing script. Take a look at the Resetting Your Password Codex page, and that should give you some light.

Anyway, you won’t go too far from:

require_once( ABSPATH . WPINC . '/registration.php');

$db = new wpdb (DB_USER, DB_PASSWORD, DB_NAME, DB_HOST);

$result = $db->get_results($sql);
foreach ($result as as $r) {
        'user_login' => $r->username,
        'user_pass' => $r->password,
        'user_firstname' => $r->first_name

Take a look on the get_userdata function documentation to see what user info you can import at first moment.


As it turns out, I found a couple of other ways to do this. One is done through your mysql phpmyadmin area (on the “sql” tab once you’ve selected the right database) and was posted by Andrew Vit on another thread within stackoverflow:

UPDATE wp_users SET user_pass = MD5(user_pass) WHERE ...

for the “where” condition, if all your passwords are the same length, you might use the following condition:

WHERE CHAR_LENGTH(wp_users.user_pass) = 12

Of course, if your password length is different, simply change the “12” above to whatever the length of your passwords is. If they are NOT the same character length then you’ll have to use some other criteria for determining which passwords to encrypt (unless they ALL need to be encrypted, in which case you can leave the “where” condition off entirely.

I personally ended up using a php script to do the work, so that the passwords could be encrypted by WordPress itself (or at least using the method that WordPress uses). Here are the contents of my php file:

  require_once '/home/evaluate/public_html/members-blog/wp-config.php';

$sql="SELECT user_pass,ID FROM wp_users WHERE CHAR_LENGTH(wp_users.user_pass) = 12";
$find = mysql_query($sql) or die(mysql_error());

  while($row = mysql_fetch_array($find))

  $current_password = $row['user_pass'];
  $current_id = $row['ID'];
  $hashed_password = wp_hash_password( $current_password );

  $update_sql= "UPDATE wp_users SET user_pass = '" . $hashed_password . "' WHERE ID = " . $current_id . "";
  $update = mysql_query($update_sql) or die(mysql_error());  

  echo $current_id . " " . $hashed_password;
  echo "<br />";


Done this way, not only are the passwords encrypted using WordPress’ own method, but, you also get a printout on your screen each time you run the script, showing you the ID of all the records that were updated and providing the corresponding hashed password.