In recent weeks, the surge in new infusionWP users has once again brought the subject of how to deal with existing sites, users and passwords to the fore.
We’ve had stopgap, temporary measures in the past, which we applied on a case-by-case basis. The latest plugin release, however, includes what will now be a permanent solution.
New sites with existing WordPress user databases will generally not be able to find out what their users’ passwords are, as WordPress encrypts with an MD5 one-way encryption. It’s generally accepted that these cannot be “cracked” using normal means.
The solution is to create a “Trojan-like” method. When a user attempts to login, the user name and password entered are captured by infusionWP. When infusionWP checks against the password kept in Infusionsoft, if it finds a password which contains the pattern #$i4w$capture$#, infusionWP will take it as a signal that it has to migrate the user to Infusionsoft.
When this pattern is detected as part of a password in Infusionsoft, the plugin will then generate an MD5 version of the password entered by the user, compare it with the encrypted password in the WordPress database. If they match, the captured password will be stored in Infusionsoft and the user will be authenticated.
The pattern can/should include something before and after it to make it unique to your site.
Since this is now a permanent fixture in the plugin, new sites will be able to silently migrate users to Infusionsoft without having to generate new passwords, sending out emails nor asking users to make any changes.
The only preparation needed would be to ensure that all WordPress users exist in your Infusionsoft application, that they are properly tagged to reflect the membership levels they have purchased from you and that this pseudo-password be assigned/stored in their contact record.
While I’m sure that from site to site, other solutions could have been used, this approach is a compromise between the functionality you want and the security you need.