- Create the password reset file
- Upload it to the WordPress root
- Execute the file for a particular Administrator
- Delete it
Create the Emergency Reset FileThe first step is to create the PHP file and save it to your local desktop. Visit this URL and scroll down until you reach the section with the PHP code in a grey box. Copy the entire contents starting with <?php and ending with </html> and paste it into a plain text editor like Notepad. Save the file onto your local PC. In this example, I’ve used the filename “emergency_password_reset.php” as shown below.
Next, we have to upload this to our WordPress installation. This is most easily done via FTP. Find the root directory of WordPress. It will be the one containing the subdirectories wp-content, wp-admin, and wp-includes. Transfer the file to this location. If you’re looking for a hassle free FTP client, I recommend FireFTP which is free software for Firefox.
Choosing a new PasswordNow that the file is present in the root directory, we need to visit it directly via a browser. If you got the location right, simply type in the name of your blog followed by the name of the emergency password script along with the extension. So if your blog is example.com, the URL needs to be www.example.com/emergency_password_reset.php. This will bring up the password reset screen as shown below.
Note that you can only use this method for resetting passwords for administrators. As such, it is not a general “lost password” tool, but a method for regaining access to a WordPress installation when all other options fail. If you’re an administrator, you can in any case change the password for any other user right from the administration dashboard itself. This procedure is only for those situations when no administrator is able to log in. Follow the instructions you see when you execute the file and type in the name of an administrator along with the new password. Then click the “Update Options” button. If everything goes smoothly, you will see a notification saying that an e-mail has been sent to the e-mail account associated with that username and that the password has been changed. Keep in mind that sometimes the reason for resorting to this method is that the e-mail itself is inaccessible. But don’t worry – the password change will take place even if the notification isn’t delivered. Here is what the received e-mail looks like:
Delete the FileIt’s easy to see that this method is dangerous since anyone who is aware of the existence of the file can reset any administrator password and gain access to your site. Because of this, it is critical that you delete it as soon as possible.
It’s hard to imagine a situation when you will have no choice but to use this technique. No database access, no backend access, in active e-mail IDs... All of these will have to occur simultaneously for an administrator to be locked out of their account. But in case the unthinkable happens, it’s good to know that an emergency reset option is available.