A lightweight authentication middleware that allows users migrated from WordPress to log in to Backdrop CMS using their existing passwords.
This module detects legacy WordPress password hashes ($P$... or $H$...) during the login process, verifies them, and automatically upgrades the user's account to a secure Backdrop hash.
This is an beta release for code review and testing.
Crucial: This module must remain enabled until all migrated users have logged in at least once. If you disable this module, users with legacy hashes will be unable to log in until they reset their passwords via email.
Remove this module when all active users have logged in, or after a pre-determined amount of time i.e. 6 months. This give users plenty of time to login with their existing password, after the module is removed, they will need to follow the password reset procedures.
Dependencies: Designed to work with Acuity WordPress User Import (abms_wpuser) module, though it can function independently if legacy hashes are injected by other means.
Backdrop CMS 1.x
PHP 5.6+ (PHP 8.x recommended)
Install this module using the official Backdrop CMS instructions at https://docs.backdropcms.org/documentation/extend-with-modules
Enable the module.
No configuration is required. It automatically hooks into user_login and user_login_block.
How it Works: The "Hot Swap"
When a user attempts to log in:
Interception: The module intercepts the form validation before Backdrop's standard authentication runs.
Detection: It checks the user's current password hash in the database.
If the hash starts with $S$, it is a Backdrop hash -> The module does nothing.
If the hash starts with $P$ or $H$, it is a WordPress hash -> The module activates.
Verification: It runs the input password through the WordPress phpass hashing algorithm (MD5-based iteration) using the stored salt.
Upgrade:
If the passwords match, the module immediately calls user_save().
user_save() re-hashes the plain text password using Backdrop's secure SHA-512 algorithm and updates the database.
The Entity Cache is cleared.
Completion: The login process continues. Backdrop's standard validator sees the valid new hash and logs the user in. The user is unaware that a migration occurred.
Timing Attack Protection
This module uses hash_equals() for string comparison. This ensures that the time it takes to verify a password is constant, preventing attackers from deducing the hash contents based on response time variances.
Non-Destructive
It never downgrades a secure Backdrop hash to a WordPress hash.
It never stores the plain text password.
It operates strictly within the hook_form_alter validation stack.
Bugs and Feature requests should be reported in the Issue Queue: https://github.com/backdrop-contrib/abms_wpauth/issues
- Steve Moorhouse (albanycomputers) (https://github.com/albanycomputers)
- Seeking additional maintainers and contributors.
- Google Gemini 3.0 assisted with the coding of this module.
- Albany Computer Services (https://www.albany-computers.co.uk)
- Albany Web Design (https://www.albanywebdesign.co.uk)
- Albany Hosting (https://www.albany-hosting.co.uk)
This project is GPL v2 software. See the LICENSE.txt file in this directory for complete text.