How can I recover my WordPress admin password if my site gets hacked?
June 12, 2013 in Blog by
We are going to show you four simple steps each of which will help you recover your WordPress password for the superuser better known as the default user ‘admin’.
Solution depends of the type of situations that you have encountered and they are:
- Both your site and your admin email is safe
- Your site is safe, but your admin email isn’t
- Both your site and admin email are hacked
Both your site and your admin email is safe
This is the best of a bad situation. All you have to do is click on the “Recover Lost Password” button and enter your admin email address. A password recovery link should reach your inbox within a few minutes (usually less than 30 seconds) and you can follow that link to reset your password. I would advise you to choose a secure password with alphanumeric and special characters with a minimum length of 8 characters.
Your site is safe, but your admin email isn’t
If your email is compromised and you can’t reset your password because of that please make sure to update your email address after you’ve reset your password.
Recovering your WordPress password when your email is compromised (or does not exist) is fairly simple. There are three basic ways to overcome this situation, all of which are described below.
How to recover wordpress admin password via ftp
This is the simplest of all the three methods mainly because it contains the least number of steps and it is most likely that you have FTP access to your server.
To start off, login to your FTP server and navigate to your WordPress installation directory.
Next, navigate to “wp_content/themes/” and enter the theme folder which is currently activated in your website. If my currently active theme was Twenty Twelve, then you should enter the “twentytwelve” folder in the themes directory.
Download the functions.php file. Regardless of what theme you’re using, there will be a functions.php file.
In most cases the first line is the PHP tag opener.
Go to the next line and enter the following code:
Make sure that you don’t insert it within a comment line because that wouldn’t create any effect. I’d recommend using a good text editor, for example, Notepad++. This way, you would be able to distinguish between active code and comment lines (latter being marked in green).
The wp_set_password(‘string’, uid) function is a user-defined PHP function defined in the WordPress core which sets the password “string” for the user whose user ID is identified by “uid”. We have used the user ID as 1 since it is the default user ID for the WordPress superuser.
Upload the functions.php file back to the same directory you downloaded it from (in this case “wp_content/themes/twentytwelve”) and overwrite it.
Immediately go to your WordPress login page typically “yourwebsite.com/wp-login.php”, enter your superuser username (in most cases it “admin” or “Admin”) and fill the password field with the password, “mynewpassword” (without quotes).
Click on “Login” Once you submit the credentials (try to login) the login page will simply reload without redirecting you to the WordPress dashboard.
This means you have just reset the WordPress administrator password to “mynewpassword”. Do not try to login again for now! Each time you try to login, you will reset the WordPress administrator account password.
This is because the wp_set_password() function is still being executed.
Therefore, we need to remove this function. To do this, simply download the modified functions.php file from the active theme directory, remove the line you have added before, save the changes and upload the file back.
Now you’ll be able to login to your WordPress site using the password “mynewpassword”.
You should definitely change the password to a secure one!
How to recover wordpress admin password using mysql command line via SSH
This method involves lesser steps, but is a bit complicated for someone who’s not familiar with the command line interface. If you have access to phpMyAdmin, then I recommend you use the next tutorial.
For this step it is necessary for you to know the MySQL login credentials, the database name you’re using, the user ID whose associated password you want to change. The user ID is typically 1. Getting access to the MySQL command prompt depends on your environment. If your WordPress site is hosted in a remote server, you must have SSH access. You could use the popular client Putty. If you are on Ubuntu, then launch Terminal. If you’re on Windows running WAMP, left-click on the WAMP icon MySQL -> MySQL console. There is no default password. Just press Enter once asked for the password in the MySQL console. Since you already have access to the MySQL console, you can skip the next three points.
- Login to MySQL
- Open the terminal emulator and type the code: “mysql –u root -p” and hit Enter
- Enter your password. If you’re on Ubuntu chances are that the default password is null. Simply press Enter.
- Now you should have access to the MySQL console.
We assume the following:
- Database name: wp_mywebsite
- User ID whose password you want to change: 1
- The new password we’re setting is: mynewpassword
Enter the following lines of code accordingly: (I haven’t used any double quotes, so you should enter the codes ditto)
use wp_mywebsite; SELECT ID, user_login, user_pass FROM wp_users; UPDATE wp_users SET user_pass = MD5(‘mynewpassword’); exit
This sets the new password of the user ‘admin’ to ‘mynewpassword’.
You should have your account back!
When you try this tutorial, make sure you use the correct database name and set a better password than mynewpassword.
Both your site and admin email are hacked
In such a case it’s most likely that you have fallen prey to a malicious exe or cookie. I would recommend you to first scan your computer and/or phone’s browser (if you have logged in from any of them) and make sure that they’re secure.
Then you should contact your hosting provider and ask them to scan your site and MySQL database for malicious codes/injections.
Next, try to recover your email address and use any of the three steps mentioned above for resetting the password.
If the email address isn’t recoverable, change it once you have access to your WordPress account.