Check the configuration files on the two sites. It's at:


Look for the line that looks something like this:

Do the two files have different strings of gibberish? If so, copy the line from the dev site and paste it into the config file on the prod site.

Just to be cautious, I'd comment out the new site's salt and paste in the old site's salt on the next line, like this:


That should do the trick.


The details that follow might be a bit off, but here's the basic idea:

If your password were 'mySecurePassword', those letters in that order wouldn't exist in the password field of your database. Instead, C5 takes the PASSWORD_SALT and tacks it onto the end, then runs a hashing algorithm (which just means it's consistently converted into new crazy string of gibberish). Let's just call that hashing algorithm 'the randomizer' for now. Since everything is run through the randomizer, you can't reasonably ever read the passwords from the database. Instead, you can run any input you get (when someone types in their password in this case) through the same process and see if you get the same result.

So when you go to the new site and try to log in, you type in mySecurePassword and it automatically adds the PASSWORD_SALT from your config file. Then it does its magic trick of converting that whole string with the randomizer and tries to see if the results are the same as what it has in the database.

They're not, because the results in the database are mySecurePassword plus the old string of gibberish from the old site.php file, then run through the same randomizer. So by updating your new site.php to match that one line from the old one, you're telling it to check the passwords using that same salt and it should get the same results from the randomizer, which matches the old database and lets you log in.

Whew.