Community Support Forums

[s2MemberGuy]

According to the documentation, importing a CSV file and leaving the password column empty or blank should auto-generate a password upon import.
But it stays blank. Users are there, I can export them, but passwords are blank.

Is this a bug, am I missing something?

Thanks for your attention.

[Jason Caldwell]

Thanks for reporting this important issue.

The password is not included in the CSV export file because WordPress only stores the encrypted version, which really is of no use.

Importing a new user with the password field empty will result in an auto-generated password. However, importing updates to an existing user ( i.e. when the ID field is included in the importation line ), this will result in the existing password, for the existing user, remaining unchanged. This is the intended functionality. This is also why the password is not included in the export file.

I think the confusion here is that the export file will never include the password field. It's always empty.

[s2MemberGuy]

Thanks for that explanation Jason. It makes total sense from a wordpress security perspective.

I am a newbie to membership systems, so please be patient with me, but if I cant see the passwords in wordpress admin >> users and I cant export them, how would I go about sending these passwords to my user list?

Thanks again.


I have a closed user list and I am not charging them, but will need to send them login details.

[Jason Caldwell]

You're very welcome. It's an excellent question.

I am a newbie to membership systems, so please be patient with me, but if I cant see the passwords in wordpress admin >> users and I cant export them, how would I go about sending these passwords to my user list?

Sorry, you can't.

Most modern web sites no longer store plain text passwords, because it creates a security issue for all Internet users. For example, if you store passwords in plain text format on your site, and then your site is hacked; the hacker can try the passwords you were storing in combination with popular sites and services like Google. Since many people use the same password for all sites on the web, a hacker could gain access to all of their accounts this way; by simply hacking a site that stores passwords in plain text format.

So for this reason, the WordPress developers store passwords in your database with encryption, and also with an extra Encryption Salt that is unique to your installation. Making it impossible for anyone ( including the site owner ) to ever know what the real plain text password is.

In short, all you can do is provide your Users/Members with the ability to reset their password:

http://www.yoursite.com/wp-login.php?action=lostpassword

Reference articles:
http://codex.wordpress.org/Editing_wp-c ... urity_Keys
http://codex.wordpress.org/Function_Ref ... h_password
http://codex.wordpress.org/Resetting_Your_Password