What to do when you forget your password


In this lesson plan, you will learn how you can recover your WordPress website password when you forgot it.

You might be thinking, what if I forget my WordPress password? The simplest way to recover your lost password is by changing or resetting it. When you create a new account on your WordPress website and register your email on it, they stored the encrypted form of your passwords so that no one can access them. There’s nothing else for you to do but change or reset your current password.

Objectives

After completing this lesson, participants will be able to:

  • Gain access to a WordPress site if your user password is lost.
  • Change or reset password

Prerequisite Skills

Participants will get the most from this lesson if they have familiarity with:

  • Basic knowledge of WordPress admin dashboard
  • Basic understanding of user role and account creation

Readiness Questions

  • Did you forget your WordPress admin password and want to recover it?
  • Are you familiar with the WordPress User role?
  • Have you previously logged onto this site with a password?
  • Do you have an email address to which this WordPress site is linked?

Materials Needed

  • A WordPress site to demonstrate with (consider a local install).
  • Admin access / FTP detail / cPanel details etc.

Notes for the Presenter

  • Participants must have an active user account to a website for which they want to recover password
  • Give an example by recovering a password using different methods

Lesson Outline

Explain the following methods to reset your WordPress admin password:

  • Reset password using Administration control
  • Using the automatic emailer
  • Using MySQL Command Line
  • Using phpMyAdmin
  • Using FTP
  • Using WP CLI
  • Using the Emergency Password Reset Script

Exercises

Reset Your Password

  • For an existing account on a WordPress site, reset the Password

Know Where to Get Help

Assessment

Can you reset your password using phpMyAdmin and MySQL?

  1. Yes
  2. No

Answer: 1. Yes

In which format does WordPress store passwords in the database?

  1. Regular string
  2. MD5 Hash
  3. BCrypt
  4. SHA-256

Answer: 2. MD5 Hash

A “nonce” is:

  1. Password management system
  2. Single-use password generator link
  3. Strong password generator
  4. Photo square in the upper right hand corner of your site

Answer: 2. Single-use password generator link

What is added to the end of your site URL, to log into your site?

  1.  /wp-login.com
  2.  wp-login.php
  3.  /wp-login.php
  4.  /login.php

Answer: 3. /wp-login.php (includes the slash and is a PHP file).

Additional Resources

  • How to add an user into your WordPress admin dashboard

Example Lesson

In WordPress, there are plenty of ways to reset your password. (The best and easiest one is to reset it through the “Lost your password?” link on the main login page of your website.)

When your email isn’t working correctly that time you have to find another way to reset your password.

Here’s a list of different methods to reset a password. The method that you use depends on the type of access that you still have to your website.

Reset via Request to Another Admin User to Change Your WordPress Password from the WordPress Dashboard

  1. In the Administration Screen menu, go to Users > All Users.
  2. Click on your username in the list to edit it.
  3. In the Edit User screen, scroll down to the New Password section and click the Generate Password button.
Admin dashboard password reset section.
  1. If you want to change the automatically-generated password, you can overwrite it by typing a new password in the box provided. The strength box will show you how good (strong) your password is.
  2. Click the Update User button.

Your new password becomes active immediately.

Reset via WordPress Forgot password Link for Email Password Recovery

If you know your username or the email account in your profile, you can use the “lost password” feature of WordPress.

  1. Go to your WordPress Login page (something like http://yoursite.com/wordpress/wp-login.php)
WordPress admin login page
  1. Click on the “Lost your password?” link
  2. You will be taken to a page to enter some details. Enter your username or the email address on file for that account.
WordPress reset password page
  1. If Something Went Wrong
    • After entering your email address, you may get this message:
Bad Email Error
Error while resetting the password
  • This message will appear if the email address provided is not associated with a user account on the WordPress site.
  • Try entering a different email address that might be associated with the site. Or, contact the site administrator to ensure you have a user account.
  1. Wait happily as your new password is emailed to you.
    • Locate the Password Reset Email
    • After clicking “Get New Password,” an email will be sent to you within a few minutes.  The message will look like this:
Lost Password Email
Password Reset email

This email includes your username. Please take note of the user name in the email.

  • There will also be a link at the bottom of the email.
    • The link uses a one-time key called a “nonce.”  A nonce is a very secure way to generate password reset links.  
    • The link will only work once.  If you need to reset your password again, you will need to go back to the first step and generate a new email.
  1. Use the Link in the Password Reset Email to Reset the Password

    Click the link at the bottom of your email. You will be taken to this page:
Password Reset Page
Reset Password screen

Here, you will set a new password. After deciding on a new password and entering it into the field, click “Reset Password” and you’re done!

  1. If your log in attempt does not work, double check the user name by comparing what you had entered into the login form with the user name from your email. When in doubt, copy and paste the user name from the email directly. Make sure you typed the password correctly. If you’ve generated your password through a site and still have that window open, copy and paste the password. Alternatively, if you’re using a password management utility, copy and paste the password.
    • Confirm the New Password
    • After resetting your password, it is a good idea to double-check that it works. Hover over the photo square in the upper right-hand corner of your screen and click on “Log Out” when the menu appears.
Log Out of WordPress
  1. Once you get your new password, login to your profile page and change this password to something, you can remember.
    • Go back to the login page (ending in wp-login.php) and enter your user name (which you saw in the Password Reset email) and your new password.
    • It is a good idea to be able to reset your password before you need to do so. Here are the steps you can take to make sure you have the first-hand experience before you lose an important password.

Reset via MySQL Command Line 

  1. Get an MD5 hash of your password.
    • Visit md5 Hash Generator, Or
    • Create a key with Python, Or
    • On Unix/Linux:
      1. Create a file called wp.txt, containing nothing but the new password.
      2. tr -d ‘\r\n’ < wp.txt | md5sum | tr -d ‘ -‘
      3. rm wp.txt
    • On Mac OS X:
      1. Create a file called wp.txt, containing nothing but the new password. Then enter either of the lines below.
      2. md5 -q ./wp.txt; rm ./wp.txt (If you want the MD5 hash printed out.)
      3. md5 -q ./wp.txt | pbcopy; rm ./wp.txt (If you want the MD5 hash copied to the clipboard.)
  2. “mysql -u root -p” (login to MySQL)
  3. enter your MySQL password
  4. “use (name-of-database)” (select WordPress database)
  5. “show tables;” (you’re looking for a table name with “users” at the end)
  6. “SELECT ID, user_login, user_pass FROM (name-of-table-you-found);” (this gives you an idea of what’s going on inside)
  7. “UPDATE (name-of-table-you-found) SET user_pass=”(MD5-string-you-made)” WHERE ID = (id#-of-account-you-are-reseting-password-for);” (actually changes the password)
  8. “SELECT ID, user_login, user_pass FROM (name-of-table-you-found);” (confirm that it was changed)
  9. (type Control-D to exit MySQL client)
Note: if you have a recent version of MySQL (version 5.x?), you can have MySQL compute the MD5 hash for you.
  1. Skip step# 1 above.
  2. Do the following for step# 7 instead.
    • “UPDATE (name-of-table-you-found) SET user_pass = MD5(‘(new-password)’) WHERE ID = (id#-of-account-you-are-reseting-password-for);” (actually changes the password)

Note that even if the passwords are salted, meaning they look like $P$BLDJMdyBwegaCLE0GeDiGtC/mqXLzB0, you can still replace the password with an MD5 hash, and WordPress will let you login.

Reset via cPanel (phpMyAdmin or MySQL Database)

This article is for those who have phpMyAdmin access to their database. 

Note: use phpMyAdmin at your own risk. If you doubt your ability to use it, seek further advice. WordPress is not responsible for the loss of data.
  1.  To access cPanel, login to your hosting account. Next, navigate to the Databases section and click on phpMyAdmin.
cPanel Dashboard
  1. Or begin by logging into phpMyAdmin and clicking databases.
  2. A list of databases will appear. Click on your WordPress database.
PHPMyAdmin database selection
  1. All the tables in your database will appear. If not, click Structure.
  2. Look for wp_users in the Table column.
  3. Click on the icon for a browse.
  4. Locate your username under user_login
  5. Click edit (may look like a pencil icon in some versions of phpMyAdmin).
PHPMyAdmin select users database table
  1. Your user_id will be shown. Click on Edit.
  2. Next to the user_pass is a long list of numbers and letters.
  3. Select and delete these and type in your new password.
  4. Type in the password you want to use. You can type it in normally–but remember, it is case-sensitive.
  5. In this example, the new password will be ‘rabbitseatcarrots.’
  6. Once you have done that, click the dropdown menu indicated and select MD5 from the menu.
phpMyAdmin select MD5 function on user_pass row
  1. Check that your password is correct and that MD5 is in the box.
phpMyAdmin user_pass row with MD5 function and "rabbitseatcarrots" as the password
  1. Click the ‘Go’ button to the bottom right.
  2. Test the new password on the login screen. If it doesn’t work, check that you’ve followed these instructions exactly.

Reset Password via FTP Using Functions.php File 

There is also an easy way to reset your password via FTP if you’re using the admin user.

  1. Login to your site via FTP and download your active theme’s functions.php file.
  2. Edit the file and add this code to it, right at the beginning, after the first <?php:
wp_set_password( 'password', 1 );

Enter your own new password for the main admin user. The “1” is the user ID number in the wp_users table.

  1. Upload the modified file back to your site.
  2. Once you are able to login, make sure to go back and remove that code. It will reset your password on every page load until you do so.

Reset via WP CLI 

WP CLI is a command-line tool for managing your WordPress installation.

  1. Move into the /wordpress directory and type.
$ wp user list

to see all users. Find the ID of the user you’d like to update.

  1. Then, update the user.
$ wp user update 1 --user_pass=$UP3RstrongP4$w0rd

replacing “1” with the id of the user you want to update.

Reset via Using the Emergency Password Reset Script 

If the other solutions listed above won’t work, then try the Emergency Password Reset Script. Please note that it’s not a plugin, it’s a PHP script.

A Word of Caution: 

  1. The Emergency Password Reset Script requires that you know the administrator’s username.
  2. It updates the administrator password and sends an email to the administrator’s email address.
  3. Even if you don’t receive the email, the password will still be changed.
  4. You do not need to be logged in to use it. (After all, if you could login, you wouldn’t need the script.)
  5. Place the script in the root of your WordPress installation. Do not upload it to your WordPress Plugins directory.
  6. For security reasons, remember to delete the script when you are done.

Directions for Use:

  1. Copy the emergency script from Emergency Password Script and put it into a file called emergency.php in the root of your WordPress installation (the same directory that contains wp-config.php).
  2. In your browser, open http://example.com/emergency.php.
  3. As instructed, enter the administrator username (usually admin) and the new password, then click Update Options. A message is displayed noting the changed password. An email is sent to the blog administrator with the changed password information.
  4. Delete emergency.php from your server when you are done. Please do not leave it on your server, as someone else could use it to change your password.

Here is another password reset script that can be used without knowing the username or email. (Upload this code to wp-content/mu-plugins/whichevernameyoulike.php)

<?php
/**
 * Upload to wp-content/mu-plugins/whichevernameyoulike.php
 */
$login = 'foobar'; # New username
$password = 'secret'; # Password for the new user
$email = 'you@example.com'; # Email address of the new user
$ip = '127.0.0.1'; # Insert your IP, http://google.com/search?&q=what%20is%20my%20ip

if ($_SERVER['REMOTE_ADDR'] === $ip) {
    require_once(ABSPATH . WPINC . '/pluggable.php');
    require_once(ABSPATH . 'wp-admin/includes/' . 'user.php');

    $userdata = array(
        'user_login' => $login,
        'user_pass' => $password,
        'user_email' => $email,
        'role' => 'administrator',
    );
    $user_id = wp_insert_user($userdata);
    var_dump($user_id);
    die('delete me!');
}

Lesson Wrap Up

💡 Follow with the Exercises and Assessment outlined above.

The simplest and safest way to recover a password is by using the “Forgot Password” link, but if you have difficulty with this method there are other methods as well. Use complex and unique passwords to ensure security for yourself!