Emergency WordPress Password Change

Emergency WordPress Password Change
WordPress has a variety of ways to recover lost passwords. From something as simple as clicking the “Lost your password?” link, to being able to reset it via phpMyAdmin directly through the database, replacing either yours or someone else’s login credentials isn’t difficult. However sometimes for some reason or the other, none of these work. Either you don’t have easy access to the database or the control panel backend, or the e-mail ID used for password recovery isn’t functioning. Whatever the reason, WordPress gives you one final way to recover the password of any user having the “Administrator” role. It relies on creating a file that doesn’t exist on any WordPress installation by default. This method is utilized only in emergencies when all else fails. Use it with caution and make sure that you remove the vulnerability immediately afterwards. The process consists of four steps:
  1. Create the password reset file
  2. Upload it to the WordPress root
  3. Execute the file for a particular Administrator
  4. Delete it

Create the Emergency Reset File

The first step is to create the PHP file and save it to your local desktop. Visit this URL and scroll down until you reach the section with the PHP code in a grey box. Copy the entire contents starting with <?php and ending with </html> and paste it into a plain text editor like Notepad. Save the file onto your local PC. In this example, I’ve used the filename “emergency_password_reset.php” as shown below.

emergency file

Next, we have to upload this to our WordPress installation. This is most easily done via FTP. Find the root directory of WordPress. It will be the one containing the subdirectories wp-content, wp-admin, and wp-includes. Transfer the file to this location. If you’re looking for a hassle free FTP client, I recommend FireFTP which is free software for Firefox.

transfer file to root

Choosing a new Password

Now that the file is present in the root directory, we need to visit it directly via a browser. If you got the location right, simply type in the name of your blog followed by the name of the emergency password script along with the extension. So if your blog is example.com, the URL needs to be www.example.com/emergency_password_reset.php. This will bring up the password reset screen as shown below.

emergency reset screen

Note that you can only use this method for resetting passwords for administrators. As such, it is not a general “lost password” tool, but a method for regaining access to a WordPress installation when all other options fail. If you’re an administrator, you can in any case change the password for any other user right from the administration dashboard itself. This procedure is only for those situations when no administrator is able to log in. Follow the instructions you see when you execute the file and type in the name of an administrator along with the new password. Then click the “Update Options” button. If everything goes smoothly, you will see a notification saying that an e-mail has been sent to the e-mail account associated with that username and that the password has been changed. Keep in mind that sometimes the reason for resorting to this method is that the e-mail itself is inaccessible. But don’t worry – the password change will take place even if the notification isn’t delivered. Here is what the received e-mail looks like:

confirmation email

Delete the File

It’s easy to see that this method is dangerous since anyone who is aware of the existence of the file can reset any administrator password and gain access to your site. Because of this, it is critical that you delete it as soon as possible.

delete the file

It’s hard to imagine a situation when you will have no choice but to use this technique. No database access, no backend access, in active e-mail IDs... All of these will have to occur simultaneously for an administrator to be locked out of their account. But in case the unthinkable happens, it’s good to know that an emergency reset option is available.

One Reply to “Emergency WordPress Password Change”

  1. Hi I have been reading your posts and following them to try and regain the website access for a local non profit group. I have checked the ht access, repaired the database. They have been locked out of their site for months. I just tried using the emergency password.php reset and immediately got a message about an parse error on line 24. So I am not able to regain the site and help these folks. My thought was too regain it train them about stronger login id and passwords, clean the site and set some security features for them. I have access to the CPANEL but not excited about messing with the PHP I have recovered that way in the past but it was one of my own. Currently we can see the full site without the www. but if you type in www. it takes you to an overseas sale site. Have you seen this parse error on line 24 before and is there a fix for it? I really enjoy working using your instructions they are so so helpful, Thank you for that!

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclosure: We receive a compensation from some of the companies whose products are presented on our website.