A couple of weeks ago, a group of hackers launched a worldwide targeted attack on websites running WordPress. The idea was pretty simple – guess (brute-force attack) the password for WordPress default superuser ‘admin’. Have that, and you remotely control every aspect of the website. Thankfully we have quite a few security guides here on wplift so check those out.
In today’s post, I’m going to show you four simple steps each of which will help you recover your WordPress password for the superuser better known as the default user ‘admin’.
Let’s break this down into three situations - the good, the bad and the ugly.
The Good: Your site and admin email is safe
This is the best of a bad situation. All you have to do is click on the “Recover Lost Password” button and enter your admin email address. A password recovery link should reach your inbox within a few minutes (usually less than 30 seconds) and you can follow that link to reset your password. I would advise you to choose a secure password with alphanumeric and special characters with a minimum length of 8 characters.
The Bad: Your site is safe, but your admin email isn’t
If you’re reading this because you’re running WordPress on a local PC, technically termed as ‘localhost’ or you didn’t use a proper email address in the first place (yes I know some folks who do this) then there’s nothing to worry about.
But if your email is compromised and you can’t reset your password because of that please make sure to update your email address after you’ve reset your password.
Recovering your WordPress password when your email is compromised (or does not exist) is fairly simple. There are three basic ways to overcome this situation, all of which are described below.
How to recover WordPress admin password via FTP
This is the simplest of all the three methods mainly because it contains the least number of steps and it is most likely that you have FTP access to your server.
- To start off, login to your FTP server and navigate to your WordPress installation directory.
- Next, navigate to “wp_content/themes/” and enter the theme folder which is currently activated in your website. If my currently active theme was Twenty Twelve, then you should enter the “twentytwelve” folder in the themes directory.
- Download the functions.php file. Regardless of what theme you’re using, there will be a functions.php file.
- In most cases the first line is the PHP tag opener and reads: “<?php” (without quotes)
- Go to the next line and enter the following code:
- Make sure that you don’t insert it within a comment line because that wouldn’t create any effect.
- I’d recommend using a good text editor, for example, Notepad++. That way, you would be able to distinguish between active code and comment lines (latter being marked in green).
- Technical know-how: the wp_set_password(‘string’, uid) function is a user-defined PHP function defined in the WordPress core which sets the password “string” for the user whose user ID is identified by “uid”.
- We’ve used the user ID as 1 since it is the default user ID for the WordPress superuser.
- Upload the functions.php file back to the same directory you downloaded it from (in this case “wp_content/themes/twentytwelve”) and overwrite it.
- Immediately go to your WordPress login page typically “yourwebsite.com/wp-login.php”, enter your superuser username (in most cases it “admin” or “Admin”) and fill the password field with the password, “password” (without quotes).
- Click on “Login”
- Once you submit the credentials (try to login) the login page will simply reload without redirecting you to the WordPress dashboard. This means you have just reset the WordPress administrator password to “password”.
- Do not try to login again for now. Each time you try to login, you will reset the WordPress administrator account password. This is because the wp_set_password() function is still being executed. Therefore, we need to remove this function.
- To do this, simply download the modified functions.php file from the active theme directory, remove the line you have added before, save the changes and upload the file back.
Now you’ll be able to login to your WordPress site using the password “password”. You should definitely change the password to a secure one.
How to recover WordPress admin password using MySQL command line via SSH
This method involves lesser steps, but is a bit complicated for someone who’s new to the command line interface. If you have access to phpMyAdmin, then I recommend you use the next tutorial.
Prerequisites: You need to know the MySQL login credentials, the database name you’re using, the user ID whose associated password you want to change. The user ID is typically 1.
Getting access to the MySQL command prompt depends on your environment.
- If your WordPress site is hosted in a remote server, you must have SSH access. You could use the popular client Putty.
- If you are on Ubuntu, then launch Terminal.
- If you’re on Windows running WAMP, left-click on the WAMP icon > MySQL > MySQL console. There is no default password. Just press Enter once asked for the password in the MySQL console. Since you already have access to the MySQL console, you can skip the next three points.
Login to MySQL:
- Open the terminal emulator and type the code: “mysql –u root -p” and hit Enter
- Enter your password. If you’re on Ubuntu chances are that the default password is null. Simply press Enter.
- Now you should have access to the MySQL console.
We assume the following:
- Database name: wp_genesis
- User ID whose password you want to change: 1
- The new password we’re setting is: mynewpass
Enter the following lines of code accordingly: (I haven’t used any double quotes, so you should enter the codes ditto)
- use wp_genesis;
- SELECT ID, user_login, user_pass FROM wp_users;
- UPDATE wp_users SET user_pass = MD5(‘mynewpass’);
This sets the new password of the user ‘admin’ to ‘mynewpass’. You should have your account back!
When you try this tutorial, make sure you use the correct database name and set a better password than mynewpass.
How to recover WordPress admin password using phpMyAdmin
This method is one of the most popular recovery methods and the internet is filled with many such tutorials. I’m going to assume that this is your favourite!
- First you need to have phpMyAdmin installed. Most hosting providers provide this software and can be found under cPanel. If you’re running WAMP, then phpMyAdmin is available under “localhost/phpmyadmin”
- Once you’re inside phpMyAdmin, click on the database which is used by your WordPress site.
- You should find a table entry called “wp-users”. That’s the table whose entry we want to edit. Click on it.
- The admin user is usually at the top with ID = 1. Select that row and click on the yellow pencil or on “Edit”.
- Look for the row named “user_pass” (usually the 3rd or 4th one).
- In that row, under the “Function” column, select MD5.
- Under the “Value” column, enter your new password. In our tutorial, we’re setting it to “mynewpass”.
- To save the changes, click on Go.
- This updates the password of the admin user to “mynewpass”. You should now be able to login to your WordPress dashboard.
The Ugly: Both your site and admin email are compromised
In such a case it’s most likely that you’ve fallen prey to a malicious exe or cookie. I would recommend you to first scan your computer and/or phone’s browser (if you’ve logged in from any of them) and make sure that they’re secure. Then you should contact your hosting provider and ask them to scan your site and MySQL database for malicious codes/injections. Next, try to recover your email address and use any of the three steps mentioned above for resetting the password. If the email address isn’t recoverable, change it once you have access to your WordPress account.
So we’ve summed up recovery process from beginner to advanced levels. I personally feel that you should try the resetting the WordPress password via MySQL - just for the fun of it. It gives you a glance of how this code works. I mean, we’re all explorers here, always looking for something new – so why not?
Have you ever faced a nail biting, hear tearing situation where your WordPress password and email were compromised? What did you do to overcome it? We’d love to know!