The Community forums are being phased out in favor of a new Slack group.
Add your email address below to get an invitation to join the community slack group
Require old password to change password?
Hi, I am creating a website which will likely have many logged in users within the same environment.
Im setting up the option for a user to change password. However, if that user leaves their computer on whilst loggged in, its very easy for others to go ahead and change the password. IS there a way of authenticating password changes with old passwords?
similarly, is there a way of ensuring a user has to resumbit their password when submitting any new form (whilst losgged in).
Seems like its a pretty important security option when submitting forms but I havent found the solution yet.. any ideas?! 🙂
March 23, 2019 at 3:01 pm
WordPress encrypts passwords in the database using a hashing algorithm. If you want to compare a password entered on a form against one stored in the database (old password), you have to use the same hashing algorithm to encrypt the entered password and compare the resulting string against the one in the database. There is no way to decrypt a user's password stored in the WordPress database.
There are a few more complexities because you have to retrieve the old password from the user table and make it available for the compare.
None of this is available out of the box and requires custom code. It would probably work best with jQuery/Ajax. You would use jQuery to trigger the Ajax, do the DB work and comparison on the server with custom PHP, send back the result, and display a message if the password is wrong.
This is essentially how WordPress confirms your password when you log into the system.
Discussion closed.