WordPress Hack to Let Users Choose Their Own Passwords

I’ve been using WordPress for a couple of years, and have intended to learn how to make plugins properly for just about as long. I’m not quite there yet though, since whenever anything comes along which requires some form of thought and understanding, I convince myself that it doesn’t really need to be done at all and discard the idea. I can, however, spend 10 minutes editing a few php files and that’s what this hack involves. In the coming days and weeks, I intend to have a real attempt at making a WordPress plugin properly, so I’ll try to make a couple of simple ones and see if it is possible to implement the below hack as a plugin.

When someone registers on a WordPress site, they ordinarily have to enter a username and e-mail address, then WordPress generates a password and e-mails it to them. This hack allows the user to choose their own password when they register, rather than changing it later. Of course, this means that they don’t have to give a valid e-mail address anymore, since they needed one to receive their password. In addition, some may argue that letting users choose their own password is a security flaw, but if they can change their password anyway then I don’t see how that is so different, and it doesn’t really concern me anyway since I’m the only one who will have access to post on this blog.

When I wanted to do this, I Googled but all I found was an out of date file following from a discussion on the WordPress forums. My attempt involves editing wp-login.php directly, basically copying lines from some other files which dealt with the user changing their password. Since this involves editing a core WordPress file, it is probably not a good idea and could cause problems, but it does the job for me. Also, whenever you upgrade WordPress, wp-login.php will be overwritten, and you’ll have to make the changes again. The changes described are for WordPress 2.2.

Password Validation

Between:

$user_email = apply_filters( 'user_registration_email', $_POST['user_email'] ); 

and

// Check the username
if ( $user_login == '' )

Insert:

if ( isset( $_POST['pass1'] ))
$pass1 = $_POST['pass1'];
if ( isset( $_POST['pass2'] ))
$pass2 = $_POST['pass2'];

Between:

$errors['user_email'] = __('<strong>ERROR</strong>: This email is already registered, please choose another one.');

and

do_action('register_post');

Insert:

/* Check for "" in password */
if( strpos( " ".$pass1, "\" ) )
$errors['pass'] = __( '<strong>ERROR</strong>: Passwords may not contain the character "\".' );
/* checking the password has been typed twice the same */
if ( $pass1 != $pass2 )
$errors['pass'] = __( '<strong>ERROR</strong>: Please type the same password in the two password fields.' );
if ( empty($pass1) || $pass1 == '')
$errors['pass'] = __( '<strong>ERROR</strong>: Please enter a password.' );
if (!empty ( $pass1 ))
$user_pass = $pass1;

Password Form Fields

Between

<input type="text" name="user_email" id="user_email" class="input" value="<?php echo attribute_escape(stripslashes($user_email)); ?>" size="25" tabindex="20" /></label>
</p>

and

<?php do_action('register_form'); ?>

Insert:

<p><label><?php _e('Password:'); ?><br />
<input type="password" name="pass1" class="input" size="16" value="" tabindex="30" />
</label></p>
<p><label><?php _e('Type it one more time:'); ?><br />
<input type="password" name="pass2" class="input" size="16" value="" tabindex="31" />
</label></p>

After

<?php do_action('register_form'); ?>

Delete:

<p id="reg_passmail"><php _e('A password will be e-mailed to you.') ?></p>

Between

if ( empty( $errors ) ) {

and

$user_id = wp_create_user( $user_login, $user_pass, $user_email );

Delete:

$user_pass = substr( md5( uniqid( microtime() ) ), 0, 7);

That’s it. I realise the version of WordPress will have been updated since this article was originally written, but I’ve left the instructions here incase it helps anyone.

Comments