The release of version 4 of the Advanced Custom Fields plugin saw the addition of a few new field types. One of these was a type of field called ‘password’.
By selecting a field to be of type ‘password’ it would mean that the entered characters would be starred out when entering data into them. The problem is that the password isn’t actually hashed, and is stored in plain-text in the database.
In my scenario I would be storing user’s passwords in this field so needed it to be secure. As a result I set out to see if there was a way to intercept the value before it got written to the database. Fortunately there was…
function my_function_encrypt_password( $value, $post_id, $field )
{
$value = wp_hash_password( $value );
return $value;
}
add_filter('acf/update_value/type=password', 'my_function_encrypt_passwords', 10, 3);
The filter above should be placed in your themes functions.php file. In summary, this hooks into the ‘acf/update_value/‘ filter and allows us to modify the value as we need. In our scenario I’m calling the function wp_hash_password() which is the built-in WordPress function for hashing passwords.
The important bit here is ‘type=password‘ at the end of the filter name. This is saying to apply this logic to all ACF fields of type ‘password‘. If you had multiple password fields in your setup but only wanted to hash one of them, you can update this to be as follows:
add_filter('acf/update_value/name=my_password', 'my_function_encrypt_passwords', 10, 3);
In this example we are passing the field name that we want to hash, instead of the type.
More information about this specific filter can be found here.