get current user password on the profile edit page

admin管理员组

文章数量:1315327

I want to show users password on the admin profile page. I mean admin can see the other user password. I am using this code. but it shows a password for all user!

add_action('show_user_profile', 'extra_user_profile_fields');
add_action('edit_user_profile', 'extra_user_profile_fields');

    function extra_user_profile_fields($user)
    {
    $user_info = get_userdata($user->ID);
     $wp_pass = $user_info->user_pass;
    
        if (current_user_can('administrator')) {
            ?>
                <tr>
                    <th><label for="email"><?php _e("Password"); ?></label></th>
                    <td>
                        <input type="text" name="pass" id="pass"
                               value="<?php $wp_pass; ?>"
                               class="regular-text"/><br/>
                    </td>
                </tr>
            </table>
            <?php
        }
    }

When I vardump(get_userdata($user->ID)) its show all information about the user correctly. but it shows the same user password for all user;

I want to show users password on the admin profile page. I mean admin can see the other user password. I am using this code. but it shows a password for all user!

add_action('show_user_profile', 'extra_user_profile_fields');
add_action('edit_user_profile', 'extra_user_profile_fields');

    function extra_user_profile_fields($user)
    {
    $user_info = get_userdata($user->ID);
     $wp_pass = $user_info->user_pass;
    
        if (current_user_can('administrator')) {
            ?>
                <tr>
                    <th><label for="email"><?php _e("Password"); ?></label></th>
                    <td>
                        <input type="text" name="pass" id="pass"
                               value="<?php $wp_pass; ?>"
                               class="regular-text"/><br/>
                    </td>
                </tr>
            </table>
            <?php
        }
    }

When I vardump(get_userdata($user->ID)) its show all information about the user correctly. but it shows the same user password for all user;

• profiles

Share Improve this question edited Dec 10, 2020 at 11:49 Tom J Nowell♦ 61k77 gold badges7979 silver badges148148 bronze badges asked Dec 10, 2020 at 10:26 D.JCodeD.JCode 20133 silver badges1212 bronze badges

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 2

This cannot be done, it is not possible, and it would be an awful thing to do if it was. Do not attempt or pursue this.

Why It Is Not Possible

Passwords are ran through a 1 way hashing function before being stored in the database. This allows us to check if a password matches but we can't undo the hash. To do that, we would need to brute force the password which could take decades or even centuries depending on its length.

This is so that if the password hash is revealed, it's not possible to then plug it into other sites. Passwords are salted with secret keys before hashing so that those hashes are unique to your site.

Legality

You might then think we can store the passwords in plaintext, or use a magical unhashing function. In many countries this would be illegal, and grounds for lawsuits.

For example, in the EU and UK, this would breach numerous data protection and privacy regulations, as well as other laws aimed at preventing negligence.

You would also fail the various forms of PCI compliance, and any security audits. This would mean any kind of sales on your site would breach consumer laws and regulations across multiple continents.

On top of that, any of your users who found out could sue for negligent mishandling of personal data.

Security

This would allow any admin to steal user credentials. Coupled with the fact that users tend to reuse passwords, anybody with elevated access to the site could compromise the emails and other accounts of those users, leading to:

• regulatory action
• bad reputation
• data loss
• lawsuits

--

The TLDR:

• passwords are stored as hashes, you can't un-hash the password
• even if you could, it's a dangerous thing to do financially, legally, and heavily compromises your sites security
• If you have users who have forgotten their password, use a reset password email with a link.
• If you want to make logging in easier for your users, and to make account recovery easy, this is not the way to do it. There are industry accepted norms such as Signing in using FB/Google, logging in with a link in an email, password managers, etc, that are all easier and more secure

I think you cannot get a user password by default as it is stored in a hashed format. However, you can check the user input against stored passwords with the help of the following function.

wp_check_password($password, $user->user_pass, $userdata->ID);

本文标签： get current user password on the profile edit page