WooCommerce

  • phildesign6

    (@phildesign6)


    9 years ago

    Hi,
    First of all thanks for the nice plugins – we are using it for quite some time now. I have some troubles when using woo-commerce, in more detail when using the account/change password function. I checked as far as i could and woocommerce seems to be using the wp_hash_password hook. After a user changes his password in the frontend (woocommerce/myaccount/changepw), is stored with an md5 hash. When i create a new password within the backend it works and uses the bcrypt hash.

    Any help would be great.
    best phil

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Ninos

    (@ninos-ego)

    9 years ago

    Thank you for your feedback. This problem is not part of my plugin. My plugin only replaces the wp_hash_password-function. If woocommerce uses its own function for password hashing I strongly recommend opening a ticket in their issuing system:
    https://github.com/woocommerce/woocommerce/issues/

    Something like that must not happen.

    Normally wp_hash_password() must be used, because woocommerce uses the wp_update_user()-function for saving the new user data:
    https://github.com/woocommerce/woocommerce/blob/f434fc7d9a1f00363b07c60bde0aa3c0666e46ac/includes/class-wc-form-handler.php#L248
    And this function is using wp_hash_password():
    https://core.trac.ww.wp.xz.cn/browser/tags/4.7.4/src/wp-includes/user.php#L1760

    Please retry changing a password and tell me if it’s still md5. Then I’ll investigate. May you checked old user accounts, which were created before my plugin was installed/enabled.

    • This reply was modified 9 years ago by Ninos.
    Thread Starter phildesign6

    (@phildesign6)

    9 years ago

    thanks, for the detailed reply.

    what i found out so far is, that in the same way as your function uses this hook
    there is an additional one in wp-includes/pluggable.php (http://woocommerce.wp-a2z.org/oik_api/wp_hash_password/)

    could it be the case, that the wordpress/users section uses your hook and for any reason, at the woocommerce change password function (include order?) will use the other hook (from pluggable.php) first? I tried changing the other, without any luck so far – but try later today again.

    thanks so far,
    best phil

    Plugin Author Ninos

    (@ninos-ego)

    9 years ago

    Nope, I’m replacing the function, see:
    https://github.com/WordPress/WordPress/blob/master/wp-includes/pluggable.php#L2076

    See also:
    https://codex.ww.wp.xz.cn/Function_Reference/wp_hash_password#Notes

    Thread Starter phildesign6

    (@phildesign6)

    9 years ago

    Ok thanks – i will check and come back to you if needed.

    Thread Starter phildesign6

    (@phildesign6)

    9 years ago

    Hi again,

    i tried a couple of thing i also posted wc-github-issue-board – without any outcome. In wc code they use wp_update_user and this call wp_hash_update. I do not totally understand why it is not working.

    Within the backend it always works. When using the frontend with the wc-endpoint change_account it alway uses the default setting and generates a md5-hash starting with $P$

    i tried to directly change the plugglable.php to your implementation, but it keep behaving the same(using the standard md5 thing).

    i have no idea how to tackle the problem. I also tried turnig your plugin on end off, but nothing. i also checked all plugin files if there is an additional wp_hash_user overwrite, but i did not found one. There is just the one from you and the one in pluggable.php.

    i would appreciate any help, hint, tip, inspiration.

    thanks again for your time.
    best philip

    btw, here the links to the wc-github-issue
    https://github.com/woocommerce/woocommerce/issues/15486

    and it behaves the same with an admin as with an non-admin user.

    btw google-recaptscha is also installed – but it seems that it does not override the hook.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘WooCommerce’ is closed to new replies.