Opened 13 years ago
Closed 13 years ago
#19261 closed defect (bug) (duplicate)
wp_update_user causes password to be double hashed
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 3.3 |
| Component: | Users | Keywords: | reporter-feedback close |
| Focuses: | Cc: |
Description
If you use wp_update_user to insert/update a user and you pass in the users password (user_pass) then the password gets hashed in wp_update_user and then gets hashed again when wp_insert_user is called further down.
So I think line 1419 of /wp-includes/user.php needs to be removed as not not hash the password.
In fact what is the point of wp_update_user? when wp_insert_user seems to do exactly the same thing CORRECTLY.
This is the same for all versions of WordPress since 2.0 I reckon.
Change History (4)
#2
@
13 years ago
- Resolution set to fixed
- Status changed from new to closed
wp_update_user is meant to as it says in the codex: Update (or create) a user in the database.
So I've used it to create the user passing in a plain text password as generated by wp_generate_password(). If the function isn't capable of creating a user then the codex shouldn't say that is what it does.
I think that's the problem here. The codex says wp_update_user will create a user when in fact it doesn't (well it does but it double hashes the password).
So as the function names suggest wp_update_user updates a user and wp_insert_user inserts the user. I've gone ahead and updated the codex for wp_update_user to remove the initial indication that wp_update_user creates a user and put a note to let people know wp_insert_user is the best function to use when creating a new user.
wp_insert_user() only hashes the given password if it's not updating an existing user.
It sounds like you're passing an already hashed password to wp_update_user() instead of the expected new, plaintext password.