To begin with, allow me to define the finish goal:

Let me Wordpress (version 5.8) to handle the authentication data/qualifications and access control for an internet site. Wordpress is going to be employed for the majority of the site, however, many pages is going to be built outdoors from the Wordpress atmosphere. These pages should have the ability to make use of the user authenticaion data saved Wordpress database like a mention of the make their very own choices about access.

So, the question:

How, exactly, does Wordpress store user authentication data in the database?


Part one of the response is easy, within the Wordpress database, there's a table store the primary user data. In my opinion the default reputation for this table is "wordpress_customers" but that may change in line with the way Wordpress is setup. This table consists of the fields "user_login" and "user_pass" which contain the account information data, correspondingly.

The "user_login" is only a plain text area, to ensure that is simple enough to gain access to, however the password is salted and hashed. This can lead to the very first factor that also must be determined: what's the salting and hashing process Wordpress ways to use producing the strings it stores in "user_pass"?

Another portion that continues to be open is howOrhow Wordpress stores its "roles". During my install, these roles default to: Administrator, Editor, Author, Contributor and Customer. Things I aren't seeing is when these roles are connected with individual customers. Also, can these role changed?


So, in conclusion, the question for you is in three parts:

1) What's the specific method Wordpress uses to transpose users' plain-text passwords towards the strings which are saved within the "user_pass" column from the "wordpress_customers" database table?

2) Where would be the links between individual customers as well as their particular Wordpress "roles" saved?

3) Can "roles" in Wordpress be modified to alter their names and/or add/take them off?


Note: I recognize that another approach is always to have non-Wordpress pages look into the Wordpress cookie to find out access. I am likely to create another question along individuals lines, however for reasons of the question the main focus is how non-Wordpress pages can make use of the actual Wordpress database for choices on access control.

  1. See Wordpress' wp-includes/class-phpass.php file or this: http://stackoverflow.com/questions/1045988/what-type-of-hash-does-wordpress-use
  2. Automatically this association is incorporated in the wp_usermeta table underneath the wp_user_level key
  3. Not with no plug-in (or without editing editing Wordpress' code or database)

You might like to consider the code for bbPress since it will share Wordpress' user database.