Removing the plugin afterwards

Question

Removing the plugin afterwards

espellcaste opened this issue 9 years ago · 3 comments

What if I remove the plugin later? The passwords would not convert into md5, so users wouldn't be able to log in, right?!

Answer 1 · 2016-03-01T17:50:32.000Z

https://github.com/roots/wp-password-bcrypt#usage-warning

Answer 2 · 2016-03-01T17:56:48.000Z

Just to elaborate: if you know you want to remove the plugin, then you can add some migration code to verify the hash using bcrypt first, then re-hash using whatever other hashing function you want (MD5 for example) and save the new hash. Just like we're doing now in wp_check_password.

Or users could always request a password reset.

Answer 3 · 2016-03-01T17:59:16.000Z

Got it! Thanks!

That's what happens when you don't read, the answer was already there.

By the way, I was reading this article, https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016#php, last week and in my mind, I thought WordPress used bcrypt.

I guess lots of people, like me, sometimes think WordPress is on top of things and "trust" it to be secure and etc. Maybe we need more voices like yours to open our eyes.