1. Reset password
Install the latest version wordpress-5.4.2-zh_CN.zip
. It has not been maintained for a long time. When logging in, I suddenly found that I forgot my password. Please record the solution.
Reset the login password to: 123456
UPDATE
wp_users SET user_pass = '$P$BiPHCyMrQlCHFzG/1ftoDdulGpfsoP0' WHERE ID =1
Set a secure password using a reset login backend
Enter the login backend >> Users >> All Users tab; click the Edit button, find the New Password >> Generate Password button, enter the password you want to set, and finally update your personal information
2. Interpretation of login source code
1. Login controller method
In wp-login.php line 1174 – Query database user information
// If the user wants SSL but the session is not SSL, force a secure cookie.
if ( ! empty( $_POST[log’] ) & amp; & amp; ! force_ssl_admin() ) {
$user_name = sanitize_user( wp_unslash( $_POST[log’] ) );
$user = get_user_by( login’, $user_name ); // Query database user information here
//…
}
//…
$user = wp_signon( array(), $secure_cookie ); // Verify password here
The get_user_by() method eventually executes SQL similar to the following:
$user = $wpdb->get_row(
$wpdb->prepare(
“SELECT * FROM $wpdb->users WHERE $db_field = %s LIMIT 1”,
$value
)
);
2. Next is the logic of verifying the password:
Mainly used to obtain wp_signon() method; the code is in line 95 of the wp-includes/user.php
file
$user = wp_authenticate( $credentials['user_login'], $credentials['user_password'] );
The method will eventually call the wp-includes/pluggable.php
file
function wp_check_password( $password, $hash, $user_id = '' ) {<!-- -->} // To check the password. function wp_signon( $credentials = array(), $secure_cookie = '' ) {<!-- --> // ... $user = wp_authenticate( $credentials['user_login'], $credentials['user_password'] ); if ( is_wp_error( $user ) ) {<!-- --> return $user; } // ... return $user; }
wp-includes/pluggable.php
>> Line 2405
$check = $wp_hasher->CheckPassword( $password, $hash );
method, calling CheckPassword()
of the wp-includes/class-phpass.php
file
function wp_check_password( $password, $hash, $user_id = '' ) { global $wp_hasher; // ... $check = $wp_hasher->CheckPassword( $password, $hash ); }
CheckPassword for wp-includes/class-phpass.php file
The CheckPassword() method calls internally
$hash = $this->crypt_private($password, $stored_hash);
crypt_private continues to call $output .=
t
h
i
s
?
>
e
n
c
o
d
e
64
(
this->encode64(
this?>encode64(input, 6); internal method, ultimately returned
o
u
t
p
u
t
=
‘
output = ‘
output=’P$BlQ4L10EWkfoyGXC0EtVK.KdwW9WxW.’; Similar string.
Final comparison return $hash === $stored_hash; Whether the two strings are equal.
class PasswordHash { function CheckPassword($password, $stored_hash) { if ( strlen( $password ) > 4096 ) { return false; } $hash = $this->crypt_private($password, $stored_hash); if ($hash[0] == '*') $hash = crypt($password, $stored_hash); return $hash === $stored_hash; } function crypt_private($password, $setting) { $output = '*0'; if (substr($setting, 0, 2) == $output) $output = '*1'; $id = substr($setting, 0, 3); # We use "$P$", phpBB3 uses "$H$" for the same thing if ($id != '$P$' & amp; & amp; $id != '$H$') return $output; $count_log2 = strpos($this->itoa64, $setting[3]); if ($count_log2 < 7 || $count_log2 > 30) return $output; $count = 1 << $count_log2; $salt = substr($setting, 4, 8); if (strlen($salt) != 8) return $output; # We're kind of forced to use MD5 here since it's the only # cryptographic primitive available in all versions of PHP # currently in use. To implement our own low-level crypto # in PHP would result in much worse performance and # consequently in lower iteration counts and hashes that are # quicker to crack (by non-PHP code). if (PHP_VERSION >= '5') { $hash = md5($salt . $password, TRUE); do { $hash = md5($hash . $password, TRUE); } while (--$count); } else { $hash = pack('H*', md5($salt . $password)); do { $hash = pack('H*', md5($hash . $password)); } while (--$count); } $output = substr($setting, 0, 12); $output .= $this->encode64($hash, 16); return $output; } function crypt_private($password, $setting) { $output = '*0'; if (substr($setting, 0, 2) == $output) $output = '*1'; $id = substr($setting, 0, 3); # We use "$P$", phpBB3 uses "$H$" for the same thing if ($id != '$P$' & amp; & amp; $id != '$H$') return $output; $count_log2 = strpos($this->itoa64, $setting[3]); if ($count_log2 < 7 || $count_log2 > 30) return $output; $count = 1 << $count_log2; $salt = substr($setting, 4, 8); if (strlen($salt) != 8) return $output; # We're kind of forced to use MD5 here since it's the only # cryptographic primitive available in all versions of PHP # currently in use. To implement our own low-level crypto # in PHP would result in much worse performance and # consequently in lower iteration counts and hashes that are # quicker to crack (by non-PHP code). if (PHP_VERSION >= '5') { $hash = md5($salt . $password, TRUE); do { $hash = md5($hash . $password, TRUE); } while (--$count); } else { $hash = pack('H*', md5($salt . $password)); do { $hash = pack('H*', md5($hash . $password)); } while (--$count); } $output = substr($setting, 0, 12); $output .= $this->encode64($hash, 16); return $output; } function encode64($input, $count) { $output = ''; $i = 0; do { $value = ord($input[$i + + ]); $output .= $this->itoa64[$value & amp; 0x3f]; if ($i < $count) $value |= ord($input[$i]) << 8; $output .= $this->itoa64[($value >> 6) & amp; 0x3f]; if ($i + + >= $count) break; if ($i < $count) $value |= ord($input[$i]) << 16; $output .= $this->itoa64[($value >> 12) & amp; 0x3f]; if ($i + + >= $count) break; $output .= $this->itoa64[($value >> 18) & amp; 0x3f]; } while ($i < $count); return $output; } }
3. Summary:
The final encryption algorithm is the crypt_private method in the wp-includes/class-phpass.php
file, where $count = 1 << $count_log2; determines the hash value of md5. You can read it when you have time. logic.