Allow WordPress Login with SHA1 Password Hash

What if you’re migrating from an old website to WordPress and want to import your users, but all the passwords are hashed with SHA1? By default, WordPress does not recognize SHA1 hashed passwords, but fear not! Add this code to your functions.php, or add into an existing custom plugin. Hashed passwords are updated to the standard WP hash after a successful login.

14 comments

  • This looks like what I am looking for, thank you, except my sha1 passwords are salted. Can this be adapted to include ‘unsalting”?

    • Hey Richard — if you know how the passwords were salted, I think you could adapt this to salt / hash the password the user entered and check that against the password stored.

      • OK, I think I have worked this out. I added this at the top of your function to get the salt from another table using the username and add it to the end of the password before hashing it:
        global $wpdb;
        $username = $wpdb->get_var( $wpdb->prepare( “SELECT user_login FROM $wpdb->users WHERE ID = “.$user_id ) );
        $salt = $wpdb->get_var( $wpdb->prepare( “SELECT salt FROM old_users WHERE username = “.$username ) );

        $check = ( $hash == sha1( $password.$salt ) );
        Seems to work…

        • Looks good to me! The code rehashes the password using the standard WP hash, so if your users login often, you can eventually remove this code to speed up the login process.

  • Great code, I ‘ve adapted your solution to an encryption algorithm used in the old system of the client and it works. The question arises when I try to make the two logins coexist together.
    How could I do it?

    • You need some way of detecting which type of hash is stored in the database so you can make the right comparison 🙂

  • Hi Max, thank you for the post. I’d like to know if you are worked with Woocommerce, I’m trying to migrate the password from OpenCart to Woocommerce, but the password are salted. I don’t know how this does work. Can you help me?
    Thank you so much.

    • Hiya 🙂 You’d want to find out how the passwords are hashed with OpenCart, and then after you import them into WordPress, use this sort of code to check the hash, allow the login if it matches, and re-hash the entered password using WP.

  • Max,
    I inserted the code in my functions.php and got a white screen on save. I noticed there is a “” before the start of your snippet thinking that might fix things.

    It saved but it appears the script didn’t work when I tried to log in. I got ‘password for the username is incorrect.

    I do know the password is NOT salted and is SHA-1 (NOT SHA1 if that makes a dif) from two articles at the export site’s support…

    “Passwords are encrypted on our site using SHA-1 encryption…” and “… passwords are hashed but not salted”.

    do you have any idea what’s wrong?

    I’m standing by.

    With Best Regards,

    -Carmine

    • Yep, as you mentioned you’ll need to account for the opening <?php tag. A closing tag is not needed. If they really are just regular SHA1 hashes then the code above should work for you. If you’re having trouble, try posting on Codeable.io to get help from a developer 🙂

Submit a comment

Your email address will not be published. Required fields are marked *