WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#19261 closed defect (bug) (duplicate)

wp_update_user causes password to be double hashed

Reported by: WPsites Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3
Component: Users Keywords: reporter-feedback close
Focuses: Cc:

Description

If you use wp_update_user to insert/update a user and you pass in the users password (user_pass) then the password gets hashed in wp_update_user and then gets hashed again when wp_insert_user is called further down.

So I think line 1419 of /wp-includes/user.php needs to be removed as not not hash the password.

In fact what is the point of wp_update_user? when wp_insert_user seems to do exactly the same thing CORRECTLY.

This is the same for all versions of WordPress since 2.0 I reckon.

Change History (4)

comment:1 @duck_4 years ago

  • Keywords reporter-feedback close added

wp_insert_user() only hashes the given password if it's not updating an existing user.

It sounds like you're passing an already hashed password to wp_update_user() instead of the expected new, plaintext password.

comment:2 @WPsites4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

wp_update_user is meant to as it says in the codex: Update (or create) a user in the database.

So I've used it to create the user passing in a plain text password as generated by wp_generate_password(). If the function isn't capable of creating a user then the codex shouldn't say that is what it does.

I think that's the problem here. The codex says wp_update_user will create a user when in fact it doesn't (well it does but it double hashes the password).

So as the function names suggest wp_update_user updates a user and wp_insert_user inserts the user. I've gone ahead and updated the codex for wp_update_user to remove the initial indication that wp_update_user creates a user and put a note to let people know wp_insert_user is the best function to use when creating a new user.

comment:3 @SergeyBiryukov4 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:4 @SergeyBiryukov4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.