Converting Customer Password Hashes from WordPress to Magento 2

Aug 28, 20181387
Converting Customer Password Hashes from WordPress to Magento 2

In some projects developers may face the problem of migrating the data from various other platforms to Magento 2: for example, the site may have previously worked on another CMS system, but we want to keep the already existing products, users and other entities in it. At the same time, when migrating users, we can migrate all the data to Magento except for password hashes, because they are encrypted differently in another system: use a different algorithm, another combination of salt and the password itself, etc.

As a result, after such a migration, a customer will not be able to log into the updated site and will have to use the password recovery system. How can we avoid it without creating unnecessary inconveniences for a customer? Let’s see how it works using the example of migrating customers from WordPress.

First of all, we save the necessary user data from WordPress to our Magento database, including password hashes in the form they were received from WordPress:

Saving the necessary user data from WordPress to our Magento database, including password hashes in the form they were received from WordPress

The idea behind it is to change the password hash obtained from the previous system into the native Magento one when we have access to the unhashed password, i.e. while logging in. To do this, create an observer using the controller_action_predispatch_customer_account_loginPost event, which is called before the \Magento\Customer\Controller\Account\LoginPost controller. For this purpose we should create a new module, and inside it — the /app/code/YourVendor/PasswordHashConverter/etc/events.xml file:

Besides that, we will need to compare the password entered by a customer with the original hash from WordPress. We do it with the help of the Portable PHP hash framework, used in WordPress for these purposes. Save it to our module as /app/code/YourVendor/PasswordHashConverter/PasswordHash.php. For further use in our code, write it to /app/code/YourVendor/etc/di.xml, specifying its signature of the two received parameters: iteration_count_log2 and portable_hashes:

It only remains to create an observer that will implement the functionality we need.


Partner With Us Let's discuss how to grow your business. Get a Free Quote.
Talk to Vlad

The Observer checks if the password matches the old hash from WordPress, and if it finds one, it converts the password to the Magento format. If the match is not found (we have already changed the hash to a new one, or simply entered a wrong password), our observer will not do anything (the catch block in its implementation is left empty for this purpose). The native Magento mechanism for validating the login and password will be launched after the execution of our code, and thus the authorization will be completed as usual.

As a result, for all imported and logged users the password will be encrypted according to the Magento standards, and will not differ from the newly registered ones:

Passwords encrypted according to the Magento standards

The described mechanism is suitable not only for WordPress but also for any other engine, from which we can extract the password hashing mechanism and use it for verification.

Partner With Us Looking for a partner that will help you to grow your business? We are the right company to develop your webstore. Feel free to get in touch with us. We will be happy to discuss your business opportunities and provide you with a Free Quote. Talk to Vlad


Post a new comment

BelVG Newsletter
Subscribe to our mailing list and get interesting stuff and updates to your email inbox.
Email *