Open Ticket 
+373 79 600002 
Telegram Live Chat 
F.A.Q 
English
Русский 
Română 
Deutsch 
Français 
Türkçe 
Español 
Português 
Українська 
български 
Polski 
Indonesia 
中文 (中国) 
AdministrationHow to Manually Reset Your WordPress Admin Password
Losing access to your WordPress admin account does not have to mean losing control of your site. If the standard "Lost your password?" email flow is broken — due to misconfigured mail settings, an inaccessible email address, or a corrupted user record — you can bypass it entirely by resetting the password directly at the database, filesystem, or shell level.
This guide covers four battle-tested methods: phpMyAdmin, FTP via functions.php, WP-CLI over SSH, and the WordPress Emergency Password Reset Script. Each method is explained with exact steps, security caveats, and the specific scenarios where it is the right choice.
When the Standard Reset Flow Fails
Before reaching for a manual method, understand why the built-in reset breaks. The most common causes are:
- Broken WordPress mail delivery —
wp_mail()depends on PHP'smail()function or an SMTP plugin. If neither is configured, the reset email is silently dropped. - No access to the registered email inbox — the account was created with a defunct address.
- Corrupted
wp_userstable — rare, but possible after a failed migration or plugin conflict. - Locked out of wp-admin entirely — brute-force protection plugins (Wordfence, Limit Login Attempts) can block the reset endpoint itself.
Identifying the root cause matters because some methods (WP-CLI, phpMyAdmin) fix the password without touching the mail system at all, while others (the emergency script) require HTTP access to the site.
Method 1: Reset the Password via phpMyAdmin
Best for: Shared hosting environments where SSH is unavailable but cPanel or a similar control panel is accessible.
phpMyAdmin gives you direct read/write access to the MySQL or MariaDB database that stores all WordPress user credentials. Passwords are stored as bcrypt hashes (WordPress 6.x+) or MD5 hashes (legacy installs). phpMyAdmin's built-in function selector handles the hashing automatically.
Step 1: Open phpMyAdmin from Your Control Panel
Log in to your hosting control panel — cPanel, DirectAdmin, or a custom panel. Locate the Databases section and click phpMyAdmin. If you are on a VPS with cPanel, the path is typically cPanel > Databases > phpMyAdmin.
Step 2: Select the WordPress Database
In the left-hand sidebar, click the database name associated with your WordPress installation. If you are unsure which database is correct, open wp-config.php in your site's root directory and look for the DB_NAME constant.
Step 3: Open the wp_users Table
Expand the database tables and click on wp_users. If your installation uses a custom table prefix (defined by $table_prefix in wp-config.php), the table will be named <prefix>_users — for example, site7_users.
Step 4: Edit the Admin User Row
- Find the row where
user_loginmatches your admin username. For most default installs, this is row withID = 1. - Click Edit (the pencil icon).
- Locate the
user_passfield. - In the Function dropdown next to
user_pass, select MD5. - In the Value field, type your new password in plain text.
- Scroll down and click Go.
Important technical note: Selecting MD5 here is sufficient for immediate login because WordPress performs a legacy MD5 check on login and then automatically re-hashes the password using its stronger phpass or bcrypt algorithm upon successful authentication. You do not need to manually generate a bcrypt hash.
Step 5: Verify the Change
Navigate to your WordPress login page and sign in with the new password. If login succeeds, WordPress will silently upgrade the hash in the database to the current algorithm.
Method 2: Reset the Password via FTP by Modifying functions.php
Best for: Situations where phpMyAdmin is unavailable but FTP/SFTP credentials are accessible.
This method injects a password-reset call directly into WordPress's execution cycle by temporarily adding code to the active theme's functions.php file.
Step 1: Connect via FTP
Use an FTP client such as FileZilla or Cyberduck. Enter your FTP host, username, password, and port (21 for plain FTP, 22 for SFTP — always prefer SFTP when available). Navigate to:
/public_html/wp-content/themes/<your-active-theme>/To confirm which theme is active without logging into wp-admin, check the wp_options table in phpMyAdmin for the template option key.
Step 2: Download and Edit functions.php
Download functions.php to your local machine. Open it in a code editor (VS Code, Sublime Text, or any editor that preserves UTF-8 encoding without BOM). Add the following line at the very bottom of the file:
<?php
// Temporary password reset — REMOVE IMMEDIATELY AFTER USE
add_action( 'init', function() {
wp_set_password( 'YourNewSecurePassword123!', 1 );
});Replace 'YourNewSecurePassword123!' with your chosen password. The second argument (1) is the user ID. If your admin account is not ID 1, query the wp_users table first to confirm the correct ID.
Wrapping the call in add_action( 'init', ... ) is safer than calling wp_set_password() directly at the file's top level, because it ensures WordPress core functions are fully loaded before execution.
Step 3: Upload and Log In
Save the file and upload it back to the server, overwriting the original. Load any page of your WordPress site (even the homepage) to trigger the init hook and execute the password change. Then navigate to /wp-login.php and log in with the new password.
Step 4: Remove the Code Immediately
This step is non-optional. Leaving the reset code in functions.php means every page load resets the password to the hardcoded value, creating a critical security vulnerability. Download functions.php again, delete the lines you added, and re-upload.
Method 3: Reset the Password via WP-CLI (SSH Command Line)
Best for: Developers and sysadmins with SSH access to a VPS or dedicated server. This is the fastest and cleanest method.
WP-CLI is the official command-line interface for WordPress. It can manage users, plugins, themes, and database operations without touching a browser. If you are running WordPress on a VPS Hosting plan or a Dedicated Server, WP-CLI is almost certainly available or trivially installable.
Step 1: Verify WP-CLI Is Installed
wp --infoIf the command is not found, install it:
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wpStep 2: Navigate to the WordPress Root Directory
cd /var/www/htmlAdjust the path to match your actual document root. You can verify you are in the right directory by checking for wp-config.php:
ls wp-config.phpStep 3: Reset the Password
wp user update 1 --user_pass="YourNewSecurePassword123!" --allow-rootThe --allow-root flag is required if you are running the command as the root user. Replace 1 with the actual user ID if needed. To look up the correct ID first:
wp user list --fields=ID,user_login,user_email --allow-rootStep 4: Confirm the Update
WP-CLI will output Success: Updated user 1. upon completion. You can immediately verify the change:
wp user get 1 --field=user_pass --allow-rootThis returns the new bcrypt hash, confirming the record was updated. Log in to wp-admin to complete the process.
Edge case — multisite installs: On WordPress Multisite, prefix the command with --url=yoursite.com to target the correct subsite:
wp user update 1 --user_pass="YourNewSecurePassword123!" --url=yoursite.com --allow-rootMethod 4: Reset the Password via the WordPress Emergency Script
Best for: Scenarios where you have FTP access but no SSH, no phpMyAdmin, and the functions.php method is impractical (e.g., the active theme is a block theme with no functions.php).
The WordPress Codex provides a standalone PHP emergency reset script (emergency.php) that runs independently of the WordPress installation. It prompts for a new password, hashes it correctly, and writes it directly to the database using credentials from wp-config.php.
Step 1: Obtain the Script
Download the script from the official WordPress GitHub repository or the Codex. The canonical source is:
https://codex.wordpress.org/Resetting_Your_Password#Through_the_emergency_password_reset_scriptSave the file as emergency.php.
Step 2: Upload to the WordPress Root
Using your FTP client, upload emergency.php to the same directory that contains wp-config.php — typically /public_html/ or /var/www/html/.
Step 3: Execute the Script in a Browser
Open a browser and navigate to:
https://yourdomain.com/emergency.phpThe script will read wp-config.php automatically to obtain database credentials, then present a form to enter and confirm a new password. Submit the form to apply the change.
Step 4: Delete the Script Immediately
This is critical. The script has no authentication layer — anyone who knows the URL can use it to take over your site. Delete it the moment you have regained access:
rm /var/www/html/emergency.phpOr delete it via FTP. Verify deletion by attempting to load the URL again — it must return a 404.
Method Comparison
| Method | Requires SSH | Requires FTP | Requires DB Access | Modifies Theme Files | Speed | Security Risk if Left Active |
|---|---|---|---|---|---|---|
| — | — | — | — | — | — | — |
| phpMyAdmin | No | No | Yes (via panel) | No | Fast | None |
| `functions.php` via FTP | No | Yes | No | Yes | Medium | Critical |
| WP-CLI via SSH | Yes | No | No | No | Fastest | None |
| Emergency Script | No | Yes | No | No | Medium | Critical |
Security Hardening After a Password Reset
Regaining access is only the first step. A forced manual reset often signals a deeper problem — a compromised account, a misconfigured server, or a broken mail stack. Address these immediately:
- Audit recent logins. Check
wp_usermetaforsession_tokensto see active sessions. Destroy all sessions withwp user session destroy --all --allow-root. - Rotate the secret keys. Generate new values at
https://api.wordpress.org/secret-key/1.1/salt/and replace the corresponding constants inwp-config.php. This invalidates all existing cookies. - Fix WordPress email delivery. Install an SMTP plugin (WP Mail SMTP, Postman SMTP) and connect it to a transactional mail service (SendGrid, Mailgun, Amazon SES) so the standard reset flow works in the future.
- Enable two-factor authentication. Plugins like WP 2FA or Google Authenticator add a second verification layer that makes brute-force lockouts far less likely.
- Review file permissions.
wp-config.phpshould be640or600. Thefunctions.phpfile should be644. World-writable files (777) are an immediate red flag. - Check for unauthorized admin accounts. Run
wp user list --role=administrator --allow-rootand remove any accounts you do not recognize.
For production environments hosted on a Dedicated Server, also review /var/log/auth.log (or /var/log/secure on RHEL-based systems) for SSH brute-force attempts that may have preceded the lockout.
If your site handles sensitive user data or e-commerce transactions, pair your hardened login with a properly issued SSL Certificate to ensure credentials are never transmitted in plaintext.
Decision Matrix: Which Method Should You Use?
Use this checklist to select the correct method for your situation:
- You have cPanel or DirectAdmin access — use phpMyAdmin (Method 1). It is the safest and requires no file modifications.
- You have FTP/SFTP but no database panel — use
functions.php(Method 2), but set a calendar reminder to remove the code within five minutes of logging in. - You have SSH access to a VPS or dedicated server — use WP-CLI (Method 3). It is the cleanest, leaves no residual code, and supports scripting for automation.
- You have FTP but the active theme has no
functions.php(block themes, FSE themes) — use the Emergency Script (Method 4), and delete it before closing the browser tab. - None of the above are available — contact your hosting provider's support team. They can reset the database password at the infrastructure level.
FAQ
Q: Will resetting the password via phpMyAdmin log out active sessions?
No. Changing user_pass in the database does not invalidate existing WordPress authentication cookies. To force all sessions to end, you must also update the secret keys in wp-config.php or use wp user session destroy --all.
Q: My wp_users table is empty or missing. What happened?
This typically indicates a failed database migration, a corrupted import, or a misconfigured $table_prefix in wp-config.php. Verify the prefix matches the actual table names in phpMyAdmin. If the table is genuinely missing, restore from a database backup.
Q: Can I use MD5 in phpMyAdmin even though WordPress now uses bcrypt?
Yes. WordPress's authentication layer detects MD5-hashed passwords on login and accepts them for backward compatibility, then immediately re-hashes the password using the current algorithm (phpass/bcrypt). The MD5 hash is only stored temporarily until the next successful login.
Q: The wp user update WP-CLI command returns a permissions error. How do I fix it?
This usually means WP-CLI is running as a different system user than the one who owns the WordPress files. Either switch to the correct user with sudo -u www-data wp user update ... or add the --allow-root flag if you are operating as root.
Q: Is it safe to leave the emergency script on the server for a few hours?
No. The emergency script has zero authentication. Any visitor who discovers or guesses the URL can use it to reset your admin password and take full control of your site. Delete it immediately after use — treat it with the same urgency as an exposed private key.