23 March 2022
The easiest way to reset your WordPress password is via the “Lost your password?” link on the WordPress login page. However, that option doesn’t work if you can’t get to the login page or don’t know your WordPress username or password. Luckily, there are lots of ways to reset your logins.
The default location of the WordPress login page is /wp-login.php. If you can get to the login page then you can simply reset your WordPress user password via the “lost your password?” link. You can get a password reset email by entering either your WordPress user’s name or email address.
Image: the password reset page.
If the login page times out then your IP address might be blocked. So-called brute force login attacks on WordPress websites are very common, and our firewall therefore blocks an IP address if there are lots of failed logins in a short period of time. If you think your IP address has been blocked, please check your IP address and contact us so that we can remove the block.
It is also possible that your IP has been blocked by a WordPress plugin that offers protection against brute force attacks. You can try disabling the plugin, for instance via WordPress Toolkit, or you can try searching your website’s database for your IP address. Again, please contact us if you are not quite sure how to do that.
If you don’t know the username and email address for your WordPress user then you can get that information from the database. When you select the users table you get a list of your website’s users, and the information includes the username (user_login) and email address (user_email). For instance, on cPanel servers you can open the database for your website via phpMyAdmin. The below image shows the information for the user example.
Image: you can check a WordPress user’s details via the database. Here, the user’s login name is “example” and the user’s email address is “support@catalyst2.com”.
You can also use phpMyAdmin to reset a user password. The password is stored in the user_pass field. Of course, the password shown in the database is hashed. So, you can’t simply enter a new password in the user_pass field and hit the “Go” button. Instead, you need to enter the password and then select MD5 from the Function field.
Image: when you reset a WordPress user’s password via the database you need to make sure that MD5 is selected in the “Function” column. The password you enter is then stored as a MD5 hash.
Of course you can also reset the password using an UPDATE
query. For instance, the following query does the same as what is shown in the above image:
UPDATE `wp_users` SET `user_pass` = MD5('Fuucb93AE_ac3QPk_jXkeVww') WHERE `wp_users`.`ID` = 1;
Please don’t just copy and paste the above query. It assumes that the user table is named wp_users and that the user ID is 1. Both might be different for you. Plus, copying and pasting a password from the internet is always a bad idea – please generate a long and unique password.
Also, when you reset a password via phpMyAdmin it best to avoid special characters such as quotes. These characters are unlikely to be escaped correctly, so you still won’t be able to log in after resetting your password.
You can of course change your password again once you are logged in to the WordPress dashboard and pick as many special characters as you like.
On cPanel and Plesk servers you can also reset the user password via WordPress Toolkit. In fact, you may not even have to reset the password. If Toolkit has been told about the user password then you can simply hit the Log in button on the main page. If that works you are taken straight to the WordPress dashboard.
Image: you can log in to the WordPress dashboard via Toolkit. However, this only works if Toolkit knows the logins.
You can also reset the WordPress password via Toolkit. The Setup link (to the right of the Log in button) lets you change the password for any user with administrator privileges – if your website has multiple admin users you can select the users from the Administrator drop-down menu. You again need to avoid special characters, and in particular single and double quotes.
Image: you can also reset your WordPress password via Toolkit.
Another thing worth noting is that Toolkit shows the password in plain text. The password is stored securely (using encryption) but anyone with access your cPanel account is able to see your password. So, if you reset your password via Toolkit then you probably want to reset the password again after you have logged in to the WordPress dashboard. That way Toolkit won’t be able to show you admin password in clear text.
WordPress Toolkit uses WP-CLI under the hood. So, when you change your WordPress password via Toolkit it runs a wp user update command in the background. If you have access to WP-CLI then you can easily reset user passwords.
The wp user update
command expects a user ID. So, before you reset a password you need to get the ID of the user you want to update. You can do that using the wp user list command:
$ wp user list --role=administrator --fields=ID,user_login +----+------------+ | ID | user_login | +----+------------+ | 1 | example | | 2 | foobar | +----+------------+
Here I got two users. To change the password for example (user ID 1) I can now use this command:
$ wp user update 1 --user_pass=Fuucb93AE_ac3QPk_jXkeVww Success: Updated user 1
As with resetting passwords via phpMyAdmin, you need to be a little careful with special characters.