Title: Keeping password local
Last modified: June 14, 2020

---

# Keeping password local

 *  Resolved [jorgeviejo](https://wordpress.org/support/users/jorgeviejo/)
 * (@jorgeviejo)
 * [6 years ago](https://wordpress.org/support/topic/keeping-password-local/)
 * Hi there! I wonder if there could be an option to use local password rather than
   external password; in other words, users would still log in with password stored
   in WordPress.
 * I know it sounds more like an _un_feature, but this way you might take advantage
   of syncing & blocking features while still relying on the WordPress engine for
   all login tasks (including password change).
 * Thanks in advance!

Viewing 5 replies - 1 through 5 (of 5 total)

 *  Plugin Author [tbenyon](https://wordpress.org/support/users/tbenyon/)
 * (@tbenyon)
 * [5 years, 12 months ago](https://wordpress.org/support/topic/keeping-password-local/#post-13014838)
 * Hey [@jorgeviejo](https://wordpress.org/support/users/jorgeviejo/),
 * Apologies for the delayed response.
 * I’m not sure I fully understand your requirement but there is a ‘migration’ mode
   setting which may achieve what you are looking for.
 * So the normal flow of the plugin is that when a username and password are entered
   on the login screen, the external database is queried. If the connection to the
   external database succeeds and the username exists in the external database then
   the user will be authenticated against that password hash.
 * If the user does not exist, it will look to see if there is a local user in WordPress
   and log the user in with that username and password. (You can disable using the
   WordPress data as a fallback using ‘disable local login’ but I don’t think this
   is what you’re looking for).
 * Now, there is another setting which is migration mode. Essentially it checks 
   to see if a user with the username exists in the local WordPress install first
   and tries to login with that user. If not, it then looks to the external database
   to see if a user exists, and their password is valid and then creates the user
   in the WordPress database (which would then be used for future logins).
 * It is important to note that the plugin does not currently support syncing to
   the external database. In other words, if you change the password in WordPress
   it will not update the password in your external database.
 * I think I’ve answered your question so I’m going to mark this as resolved, however
   if you have any more question please don’t hesitate to post back here and I’ll
   be happy to help 🙂
 * Thanks,
 * Tom
 *  Thread Starter [jorgeviejo](https://wordpress.org/support/users/jorgeviejo/)
 * (@jorgeviejo)
 * [5 years, 12 months ago](https://wordpress.org/support/topic/keeping-password-local/#post-13016625)
 * Hi Tom, thanks a lot for your time, I do appreciate that!
 * I’ll try to explain myself a little better. Suppose I have a user who exists 
   only in the external database. Then migration mode gets the job done, because
   the plugin will retrieve the data from the external database and create the user
   accordingly.
 * But what happens next? User now exists in local WordPress. So if later on I tell
   my external database to block the user in WordPress that simply won’t work because
   the plugin doesn’t even get to check the external database.
 * So back to the ‘normal flow’. I can block/unblock the user in the external database
   and see it blocked/unblocked in WordPress. I can change user roles externally
   and see them changed locally. I could also change user password externally; if
   my external database was an IdP with password change features and the like, that
   would be awesome, but that is simply not the case. That’s why I wish I could 
   keep using WordPress to manage password changes.
 * The most simple fix I came up with is just that: enabling normal mode except 
   that password hash is validated locally. Of course password syncing across databases
   would do too but that’s a lot to ask.
 * Anyway I think your plugin is awesome, it has a lot of potential and works sooo
   smoothly, keep up with the good work!
 * Regards.
 * Jorge
 *  Plugin Author [tbenyon](https://wordpress.org/support/users/tbenyon/)
 * (@tbenyon)
 * [5 years, 12 months ago](https://wordpress.org/support/topic/keeping-password-local/#post-13017223)
 * Hey Jorge,
 * There are a couple of solutions.
 * I have a hook that allows you to write custom validation of the password. It 
   was written to help users support custom hashing solutions but you could use 
   it to validate against the local WordPress password.
 * Alternatively, you could use the WordPress hook for when password change is made
   and update the external DB at that time. For ensured consistency you could block
   the password update in WordPress if your connection to the external db and the
   update was not successful.
 * If one of these sounds useful I’m happy to thrash out a bit of pseudocode to 
   get you started if it helps. 🙂
 * Thanks,
 * Tom 🙂
 *  Thread Starter [jorgeviejo](https://wordpress.org/support/users/jorgeviejo/)
 * (@jorgeviejo)
 * [5 years, 12 months ago](https://wordpress.org/support/topic/keeping-password-local/#post-13023859)
 * OK, tell me more about that custom hook.
 *  Plugin Author [tbenyon](https://wordpress.org/support/users/tbenyon/)
 * (@tbenyon)
 * [5 years, 12 months ago](https://wordpress.org/support/topic/keeping-password-local/#post-13024305)
 * This is just pseudocode but by using this hook, rather than use External Logins
   logic to validate if the password is correct, you do your own check.
 * In this case we use WordPress’ built in `wp_authenticate()` method to validate
   the password.
 * You could add additional logic to check to see if the user already exists is 
   WordPress use one way of authenticating and if they do not exist use another 
   way?
 * I have not tested this – just showing as example. I document this hook in the
   FAQ if you want to have a read.
 *     ```
       function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
           $authenticateResponse = wp_authenticate($username, $password);
           return !is_wp_error( $return )
       }
       add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);
       ```
   
 * Happy to help more if you need more help 🙂

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Keeping password local’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/external-login_fbebd6.svg)
 * [External Login](https://wordpress.org/plugins/external-login/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/external-login/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/external-login/)
 * [Active Topics](https://wordpress.org/support/plugin/external-login/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/external-login/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/external-login/reviews/)

## Tags

 * [local](https://wordpress.org/support/topic-tag/local/)
 * [password](https://wordpress.org/support/topic-tag/password/)

 * 5 replies
 * 2 participants
 * Last reply from: [tbenyon](https://wordpress.org/support/users/tbenyon/)
 * Last activity: [5 years, 12 months ago](https://wordpress.org/support/topic/keeping-password-local/#post-13024305)
 * Status: resolved