I want to show users password on the admin profile page. I mean admin can see the other user password. I am using this code. but it shows a password for all user!
add_action('show_user_profile', 'extra_user_profile_fields');
add_action('edit_user_profile', 'extra_user_profile_fields');
function extra_user_profile_fields($user)
{
$user_info = get_userdata($user->ID);
$wp_pass = $user_info->user_pass;
if (current_user_can('administrator')) {
?>
<tr>
<th><label for="email"><?php _e("Password"); ?></label></th>
<td>
<input type="text" name="pass" id="pass"
value="<?php $wp_pass; ?>"
class="regular-text"/><br/>
</td>
</tr>
</table>
<?php
}
}
When I vardump(get_userdata($user->ID)) its show all information about the user correctly. but it shows the same user password for all user;
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
This cannot be done, it is not possible, and it would be an awful thing to do if it was. Do not attempt or pursue this.
Why It Is Not Possible
Passwords are ran through a 1 way hashing function before being stored in the database. This allows us to check if a password matches but we can’t undo the hash. To do that, we would need to brute force the password which could take decades or even centuries depending on its length.
This is so that if the password hash is revealed, it’s not possible to then plug it into other sites. Passwords are salted with secret keys before hashing so that
those hashes are unique to your site.
Legality
You might then think we can store the passwords in plaintext, or use a magical unhashing function. In many countries this would be illegal, and grounds for lawsuits.
For example, in the EU and UK, this would breach numerous data protection and privacy regulations, as well as other laws aimed at preventing negligence.
You would also fail the various forms of PCI compliance, and any security audits. This would mean any kind of sales on your site would breach consumer laws and regulations across multiple continents.
On top of that, any of your users who found out could sue for negligent mishandling of personal data.
Security
This would allow any admin to steal user credentials. Coupled with the fact that users tend to reuse passwords, anybody with elevated access to the site could compromise the emails and other accounts of those users, leading to:
- regulatory action
- bad reputation
- data loss
- lawsuits
—
The TLDR:
- passwords are stored as hashes, you can’t un-hash the password
- even if you could, it’s a dangerous thing to do financially, legally, and heavily compromises your sites security
- If you have users who have forgotten their password, use a reset password email with a link.
- If you want to make logging in easier for your users, and to make account recovery easy, this is not the way to do it. There are industry accepted norms such as Signing in using FB/Google, logging in with a link in an email, password managers, etc, that are all easier and more secure
Method 2
I think you cannot get a user password by default as it is stored in a hashed format.
However, you can check the user input against stored passwords with the help of the following function.
wp_check_password($password, $user->user_pass, $userdata->ID);
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0