How to Import WordPress users into Laravel

We have all been there when we forgot the password to one of our WordPress websites and needed a quick solution. A cursory search in Google will result in information on how you can login through database (through Hosting Panel / Cpanel) and go into Database Management tool such as phpMyAdmin and change password to MD5 of new password.

This gives us two pieces of information:

  1. Changing passwords in WordPress is easy
  2. Passwords are saved as MD5 (partially true)

WordPress uses phpass (introduced since WordPress 2.5 and now considered weak as well [1]) library which is built with MD5 fallback (for WordPress installations running older versions of PHP) and hence allows easy one-time manipulation of passwords through database. In other words, when importing users from WordPress to Laravel database (or other softwares), we will get phpass based passwords and will need to convert them into the target password hash.

Related: 10 steps to rescue Hacked WordPress website on a shared hosting


Laravel Framework on the other hand, being snazzy, doesn’t care about older PHP versions (minimum 5.6) and uses bcrypt hashing algorithm. bcrypt is built into PHP version 5.5 and onward and hence provides a much stronger hash than phpass.

Hence to convert WordPress passwords into Laravel passwords, you can either make sure that your WordPress runs on a new PHP version and change your WP passwords to be upgraded to bcrypt [2] but there will always be users who are left behind on old phpass passwords. Or you can use one of Laravel packages to convert phpass passwords into bcrypt passwords.

At The Right Software company, we use mikemclin/laravel-wp-password[4] package to tie in the code at the time of login.

//user's input data
$post_login = $request->input('post_login');
$post_password = $request->input('post_password');
//get user's saved password from database
$wp_hashed_password = $user['password'];

if ( WpPassword::check($password, $wp_hashed_password) ) {
// login successful, update password to bcrypt, send user forward
else {
// login failed, send user back to login page

After this, we update the passwords in database so that processing is saved next time.

Finally, when all passwords are updated, we can remove this code completely. Setup a reminder or a task in your management software to remove this code from repository in future uploads.

We care about customer website security and make sure to take part in betterment of internet.