Wordpress users migration to rails devise

Question

I am in middle of my wordpress migration to rails. In rails I will be using devise, the only problem is the existing wordpress users hash password.

If I migrate all users to rails how can I authenticate with there old password. Is it possible for rails to generate same hash as wordpress?

Answer 1

Yes. You will need to create a custom encryptor for Devise.

Wordpress can hash passwords in several ways, but by default uses phpass. There is a ruby implementation as a gem called phpass-ruby, that you could use as a basis for your encryptor. You may need to modify this to use your WP salt. Alternatively, check out this gist.

But...

If possible, I'd recommend importing the users, then sending out an email to each asking them to create a new password. If your old passwords are MD5 hashed, this will be more secure, and arguably it could be more user-friendly, as users (or software) may not associate the old password with the new site.

Answer 2

This will allow authentication with the old password. If they change their password, it will use the default Devise BCrypt hash instead.

Gemfile

gem 'phpass-ruby' # check WordPress passwords

User.rb

require "phpass"
class User < ApplicationRecord

  # For Devise to use WordPress passwords. WordPress uses a portable PHPass of MD5 plus a salt.
  def valid_password?(password)
    return false if encrypted_password.blank?
    begin
      return true if super
    rescue BCrypt::Errors::InvalidHash => e
      logger.info "Invalid BCrypt password for #{email}. Fallback to PHPass."
    end
    # Fallback to PHPass
    phpass = Phpass.new(8)
    return phpass.check(password, encrypted_password)
  end