Your example works correctly. You are checking if password hello
matches hashed hello
– which it naturally does.
Hadn’t thought it through. Your example causes following issue:
- You check if
hello
matches md5 ofhello
(instead of hash from user’s profile). - It does and then WP thinks this is correct, but outdated md5 hash – that must be updated.
- It re-hashes
hello
and updates user with it, locking him out (since his password is nowhello
instead of whatever it was before).
See wp_authenticate_username_password()
function for extensive example, but basic idea is:
$userdata = get_user_by('login', $username);
$result = wp_check_password($password, $userdata->user_pass, $userdata->ID);