Users and passwords migration during website migration

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

Users and passwords migration during website migration

Complex

~2-3 business days

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

Implementing User and Password Migration During Site Migration

User migration is technically complex process due to incompatibility of password hashing algorithms between different platforms. Correct approach prevents users from needing password reset.

Password Hash Incompatibility Problem

Platform	Algorithm	Format
WordPress	phpass (md5-based)	`$P$BHash...`
Drupal 7	sha512 + salt	`$S$5Hash...`
Laravel	bcrypt	`$2y$10$Hash...`
Django	PBKDF2 SHA256	`pbkdf2_sha256$N$salt$hash`
PHP legacy	MD5	32 hex chars
bcrypt	bcrypt	`$2a$10$Hash...`

Strategy 1: Lazy Migration (Preferred)

Hashes transferred as-is. On first user login, old algorithm checked; if success, hash re-hashed with new algorithm.

# models/user.py
class User(BaseModel):
    password_hash: str
    password_algorithm: str  # 'bcrypt', 'phpass', 'sha512', 'legacy_md5'

    def verify_password(self, plain_password: str) -> bool:
        if self.password_algorithm == 'bcrypt':
            return bcrypt.checkpw(plain_password.encode(), self.password_hash.encode())

        elif self.password_algorithm == 'phpass':
            return phpass_check(plain_password, self.password_hash)

        elif self.password_algorithm == 'legacy_md5':
            return hashlib.md5(plain_password.encode()).hexdigest() == self.password_hash

        return False

    def upgrade_password_hash(self, plain_password: str):
        """Re-hash on successful login"""
        new_hash = bcrypt.hashpw(plain_password.encode(), bcrypt.gensalt(rounds=12))
        self.password_hash = new_hash.decode()
        self.password_algorithm = 'bcrypt'
        db.save(self)

def login(email: str, password: str):
    user = db.get_user_by_email(email)
    if not user:
        return None

    if user.verify_password(password):
        # Update hash if using legacy algorithm
        if user.password_algorithm != 'bcrypt':
            user.upgrade_password_hash(password)
        return create_session(user)

    return None

ETL: User Transfer

def migrate_users_from_wordpress(wp_db, new_db):
    cursor = wp_db.cursor(dictionary=True)
    cursor.execute("""
        SELECT
            u.ID, u.user_login, u.user_pass, u.user_email,
            u.user_registered, u.display_name,
            um.meta_value as first_name
        FROM wp_users u
        LEFT JOIN wp_usermeta um ON u.ID = um.user_id AND um.meta_key = 'first_name'
        ORDER BY u.ID
    """)

    migrated = 0
    skipped = 0

    for wp_user in cursor.fetchall():
        # Check: already migrated?
        existing = new_db.get_user_by_email(wp_user['user_email'])
        if existing:
            skipped += 1
            continue

        algorithm = detect_wp_hash_algorithm(wp_user['user_pass'])

        new_db.create_user({
            'username': wp_user['user_login'],
            'email': wp_user['user_email'],
            'password_hash': wp_user['user_pass'],
            'password_algorithm': algorithm,
            'display_name': wp_user['display_name'],
            'created_at': wp_user['user_registered'],
            'legacy_id': wp_user['ID'],
        })
        migrated += 1

    print(f"Migrated: {migrated}, Skipped: {skipped}")

def detect_wp_hash_algorithm(hash_val):
    if hash_val.startswith('$P$') or hash_val.startswith('$H$'):
        return 'phpass'
    if hash_val.startswith('$2y$') or hash_val.startswith('$2a$'):
        return 'bcrypt'
    if len(hash_val) == 32:
        return 'legacy_md5'
    return 'unknown'

Force Password Reset for Legacy Algorithms

If legacy support not desired — notify users of reset:

def send_password_reset_for_legacy_users():
    users = db.query(
        "SELECT * FROM users WHERE password_algorithm IN ('legacy_md5', 'sha1')"
    )

    for user in users:
        token = generate_secure_token()
        db.save_reset_token(user.id, token, expires_in=7*24*3600)

        send_email(
            to=user.email,
            subject="Update password required",
            template="password_reset_migration",
            vars={
                'name': user.display_name,
                'reset_url': f"https://site.com/reset?token={token}",
                'deadline': '7 days'
            }
        )

Roles and Permissions

ROLE_MAP = {
    # WordPress → Custom CMS
    'administrator': 'admin',
    'editor': 'editor',
    'author': 'author',
    'contributor': 'contributor',
    'subscriber': 'user',
}

def migrate_user_roles(wp_db, new_db):
    cursor = wp_db.cursor(dictionary=True)
    cursor.execute("""
        SELECT user_id, meta_value as capabilities
        FROM wp_usermeta WHERE meta_key = 'wp_capabilities'
    """)

    for row in cursor.fetchall():
        caps = php_unserialize(row['capabilities'])
        wp_role = list(caps.keys())[0] if caps else 'subscriber'
        new_role = ROLE_MAP.get(wp_role, 'user')
        new_db.update_user_role(row['user_id'], new_role)

Execution Time

User migration with lazy password migration and role mapping — 2–3 working days.