WooCommerce

phildesign6
(@phildesign6)

8 years, 11 months ago

Hi,
First of all thanks for the nice plugins – we are using it for quite some time now. I have some troubles when using woo-commerce, in more detail when using the account/change password function. I checked as far as i could and woocommerce seems to be using the wp_hash_password hook. After a user changes his password in the frontend (woocommerce/myaccount/changepw), is stored with an md5 hash. When i create a new password within the backend it works and uses the bcrypt hash.

Any help would be great.
best phil

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author Ninos
(@ninos-ego)

8 years, 11 months ago
Thank you for your feedback. This problem is not part of my plugin. My plugin only replaces the wp_hash_password-function. If woocommerce uses its own function for password hashing I strongly recommend opening a ticket in their issuing system:
https://github.com/woocommerce/woocommerce/issues/

Something like that must not happen.

Normally wp_hash_password() must be used, because woocommerce uses the wp_update_user()-function for saving the new user data:
https://github.com/woocommerce/woocommerce/blob/f434fc7d9a1f00363b07c60bde0aa3c0666e46ac/includes/class-wc-form-handler.php#L248
And this function is using wp_hash_password():
https://core.trac.ww.wp.xz.cn/browser/tags/4.7.4/src/wp-includes/user.php#L1760

Please retry changing a password and tell me if it’s still md5. Then I’ll investigate. May you checked old user accounts, which were created before my plugin was installed/enabled.
- This reply was modified 8 years, 11 months ago by Ninos.
Thread Starter phildesign6
(@phildesign6)

8 years, 11 months ago

thanks, for the detailed reply.

what i found out so far is, that in the same way as your function uses this hook
there is an additional one in wp-includes/pluggable.php (http://woocommerce.wp-a2z.org/oik_api/wp_hash_password/)

could it be the case, that the wordpress/users section uses your hook and for any reason, at the woocommerce change password function (include order?) will use the other hook (from pluggable.php) first? I tried changing the other, without any luck so far – but try later today again.

thanks so far,
best phil

Plugin Author Ninos
(@ninos-ego)

8 years, 11 months ago

Nope, I’m replacing the function, see:
https://github.com/WordPress/WordPress/blob/master/wp-includes/pluggable.php#L2076

See also:
https://codex.ww.wp.xz.cn/Function_Reference/wp_hash_password#Notes

Thread Starter phildesign6
(@phildesign6)

8 years, 11 months ago

Ok thanks – i will check and come back to you if needed.

Thread Starter phildesign6
(@phildesign6)

8 years, 11 months ago

Hi again,

i tried a couple of thing i also posted wc-github-issue-board – without any outcome. In wc code they use wp_update_user and this call wp_hash_update. I do not totally understand why it is not working.

Within the backend it always works. When using the frontend with the wc-endpoint change_account it alway uses the default setting and generates a md5-hash starting with $P$

i tried to directly change the plugglable.php to your implementation, but it keep behaving the same(using the standard md5 thing).

i have no idea how to tackle the problem. I also tried turnig your plugin on end off, but nothing. i also checked all plugin files if there is an additional wp_hash_user overwrite, but i did not found one. There is just the one from you and the one in pluggable.php.

i would appreciate any help, hint, tip, inspiration.

thanks again for your time.
best philip

btw, here the links to the wc-github-issue
https://github.com/woocommerce/woocommerce/issues/15486

and it behaves the same with an admin as with an non-admin user.

btw google-recaptscha is also installed – but it seems that it does not override the hook.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘WooCommerce’ is closed to new replies.