This is a beginner level tutorial for WordPress users and developers who may have forgotten their admin password to log into the WordPress admin dashboard which is necessary to update any WordPress blog or website. I will provide several possible solutions for different situations. There is even a solution if you don’t know the username, password or email for logging in. The simplest way to recover a password involves at least knowing the username and having a correct email account associated with WordPress, but I realize this is not always the case and therefore have written this WordPress password recovery tutorial with that in mind.
Password Recovery by Email
The main reason for password losses is shear forgetfulness. Let’s hope you have your email set up in the WordPress installation and this simple email recovery solution will work for you. Simply follow these few easy steps and you will have a WordPress admin password again in no time:
Notice the “Lost your password?” link in the above image and refer to below instructions to reset your password.
- Go to your WordPress admin login page. It should be something like http://www.example.com/wordpress/wp-login.php or going to the wp-admin folder works as well as it will redirect to the wp-login.php script.
- Click on the “Lost your password” link directly under the login form.
- Check your email account that was associated with your WordPress account and you will have an email with a new password inside of it.
- Log in to the WordPress dashboard and change your password to something you can remember this time or make a note of at least.
Recovering WordPress Admin Password without an Email:
Many of you probably never set the admin email incorrectly in your WordPress admin or forgot what email address you used and therefore the previous password recovery method won’t work. Well, do not be too stressed, if you can access your database, there is another way to recover it. Here are the steps you need to do:
- Login to PHPMyAdmin. If you have your own server, you can normally do this by going to the root URL and appending “phpmyadmin” to it so that your URL looks similar to this: http://www.yoursite.com/phpmyadmin. If you have a hosting account somewhere, login to your C-panel and click on the phpmyadmin link that should be on the home page of your control panel.
- Locate your WordPress database which is often called simply “wordpress”, but could be something else according to what you named it upon setting up your WordPress installation. Click on the proper WordPress database to view the tables within it.
- Find the table named “wp_users” and click on “Browse” to see the users. You may have only one which makes life easy. You may have more than one, which means you have to figure out which is the admin password by scanning the user_login column for a username that rings a bell and hopefully that will be your admin user. Before moving forward from here and before you make any changes to your wp_users table, back it up (explained in next step).
- TO back up your wp_users table, find the operations link at the top of the main content area in phpmyadmin when you have the wp_users table open. If you don’t see it at the top of the page, click the “More” link in the navigation menu and then click “operations” from the dropdown.
- On the operations page, find where it says “Copy table to…” and make sure your WordPress database name is in the dropdown select box.
- Under the dropdown select is a text field. Enter a name for your backup table. I named mine “wp_users_backup” so I would recognize it in the future. Name yours something similar if not the same as I named mine to be safe.
- Make sure the “Structure and data only” option is selected and click “Go” at the bottom of the “Copy table to….” Box. Now you will have a backup of your users table and can safely make changes to the original knowing you have a backup if anything goes wrong.
- Click the “Browse” button again. In the row where you located your admin username that you normally would use to login to your WordPress admin dashboard, find the “user_pass” column and there should be a 32 character MD5 encoded password there. This is supposed to be not reversible, but there are ways to crack it. If you really want to do so, I will explain in the next section so skip to that if you prefer to attempt to crack the MD5 hash rather than change it which is what I am explaining now.
- Click on the edit icon for the row with the password hash you wish to change.
- Now you have a couple options. You can either find another user in the table that you know the password for and copy and paste that user’s password hash to the admin user password or you can simply change the email and use the password recovery link on the WordPress login page which will then email you a link to reset the password.
While the instructions above seem long, they are not so complex, I just made them very thorough so that anyone can follow them. The simple instructions for those of you who already understand the basics of phpmyadmin, WordPress and password hashing, would look like this:
Quick PhpMyAdmin Password Recovery
- Go to phpmyadmin and into the wp_users table to find the admin user.
- Change the password hash to one that you know the password to or change the email and then do password recovery from the WordPress login screen (detailed instructions in the first section of this tutorial).
That’s all there is to it really, but I understand that many people require detailed instructions, so the first instructions are here for those of you that need a little extra help.
Cracking an MD5 Password Hash
If WordPress, uses the phpass library to do encryption this method won’t work, but if you have your WordPress set to use an MD5 hash to encrypt passwords then continue reading. You can tell which method is sued by looking for a prefix in the user_pass table. If the password hash starts with “$P$” it is a phpass encrypted password, otherwise it should be an MD5 hash and you are safe to continue with this MD5 password cracking solution.
If you have been following along and got to step 8 in the above instructions and decided to attempt to crack your md5 hash, then here is the best way I know. The only problem with using the password cracking software linked to below is that if the password contains both uppercase and lowercase letters as well as numbers and possibly symbols, the application most likely will not crack it or will take many hours to do so which will probably cause it to time out before it gets the job done. If you had a simple password that consists of all lowercase letters or just numbers, then it will work great. The shorter the password, the quicker it will crack it as well.
The main reason I included this method of recovering a WordPress admin password is for educational purposes and it is not meant to be used by hackers how just want to break into people’s WordPress accounts. Since this is on an educational site regarding WordPress, I felt it was safe to mention here. Also it is vital that you, as a WordPress site administrator, understand the importance of password security. Hopefully once you test out the password cracking algorithm link below, you will realize that it is important to make a secure password. A secure password consists of a combination of uppercase letters, lowercase letters, numbers and sometimes even symbols. A good password should be at least eight characters long as well. One example of a fairly secure password would be “JkWpaDmIn_830”. Notice it has all the characteristics I mentioned. The only problem with such a secure password is that it is complex and hard to remember. What I like to do is follow a similar pattern for all my passwords and increment the numbers to make all my passwords for different websites easier to remember.
Anyway, here is one of several Password Cracking Algorithms available on the Internet today. Simply copy the md5 hash from the user_pass field of the wp_users table for your WordPress database. Then paste the hash into the field provided in the following link:
Resetting WordPress Admin Passwords
Once you recover a WordPress admin password, you should login and change it to something more practical and secure as soon as possible. Here are the simple instructions for changing a password once you have recovered it:
- Click on USERS in the WordPress admin dashboard.
- Click on your admin username from the list that appears on the right.
- From the “Edit User” dialog, scroll down to where it says “New Password” and type in your new secure admin password. Make sure the password strength indicator approves or you do not have a good secure password. Make a note of the new password so you don’t forget.
- Click “UPDATE PROFILE” to save the changes and you are done.
Hopefully after reading this tutorial, those of you with password recovery issues have solved your problems. If you follow the methods described in this tutorial, you should be able to uncover your password without much effort. I recommend trying the recovery method available on the WordPress login page first. If that doesn’t work, go into phpmyadmin and change the email address for the admin user to your current email. Then do the password recovery processes by email again and it should work. If for any reason it doesn’t work, change the password hash directory or use a password hash cracker as described above in this tutorial. It is never a good feeling when you cannot access your own account because you cannot remember your password, but there are options and after reading this tutorial, you will be able to recover any WordPress password with a few quick minutes.