post-page

WP Password Reset

13
responses
by
 
on
May 22nd, 2007
in
WordPress, WordPress Hack

Reset your lost WordPress administrator password: Say you have forgotten your admin password AND the WordPress “forgot your password?” link in the admin login screen does not work for one reason or another (such as wrong email address, spam, etc.), you have no access to the database and cannot rattle off MD5 hashes from memory, then you could be in a jam. If you find yourself in this mess, you may upload this highly insecure script to your server, visit the page specified on your blog and follow simple instructions to reset your password to all its previous glory. The admin is sent an email to make sure things are kosher. Also, please remember to delete the file off your server. I can see this turning into a hack epidemic.

heading
heading
13
Responses

 

Comments

  1. Emre (1 comments.) says:

    I’ll try it and see how does it look?

  2. David Bradley (20 comments.) says:

    A hackademic even?

    db

  3. Jaypee (20 comments.) says:

    I agree with you. This plugin, although it can be useful in case of emergency, it does create a chance for hackers and other malicious users.

  4. Azmeen (14 comments.) says:

    If you can have access to upload the file, then you surely have access to your wp-config.php file. Just take a peep inside for your MySQL username and password.

    Once you get that then it’s just a matter of logging on to your MySQL database, going to your wp_user table, and setting a new admin password:

    UPDATE wp_users SET user_pass=MD5('newpassword') WHERE ID=1

    Then just login to your WP installation with newpassword as the admin password.

    Of course you could use any password you want, just change it in the SQL accordingly.

  5. azrin (4 comments.) says:

    That’s just a mess. I just always have a secondary backup ID so I can always promote myself to be the admin. Or else… find the admin ID under WP_USERS table and change the password or better still EMAIL ADDRESS INSTEAD..and request for a new password.

    azrin @ http://www.azrin.net

  6. Chris Mou (2 comments.) says:

    Azrin – both those ideas were covered in the original post. As sensible as that is, what would you do if the “forgot password” link broke and the database was inaccessible??

    Although I do agree, it is a mess. I just hope all the non-techie users amongst us remember to kill the file off the server when they’re done!

  7. David Russell (32 comments.) says:

    If the database is inaccessible, then this disaster waiting to happen script surely won’t work either? It’s not as if server hacking or the ability to ‘rattle off MD5 hashes from memory’ are even required to fix password problems in a secure manner – phpmyadmin (which I guess is installed on most hosts who offer MySQL) includes a function to take an entered value (say, the new password the user wants) and store the MD5 hash of it in a database field. For those not graced with phpmyadmin, there are plenty of sites offering a javascript box to generate MD5s.

  8. whoo (2 comments.) says:

    hahaha, relax people. No-one says you have to use the damn thing, and I do say it’s intended as a LAST RESORT.

    For those who didnt notice, there are NO outbound links on the script.. I could have linked right back to the codex article that explains all the other ways to recover your password. I didnt, on purpose, because once a user clicks away, theyre apt to forget to delete it.

    God, give it a rest already, it serves a very distinct purpose – to help ppl that don’ tunderstand phpmyadmin. Obviously, if you know how to do things in phpmyadmin, you wouldn’t want this. But guess what, like it or not, NOT every wordpress user gets (by gets, I mean understands) phpmyadmin, and more yet, they don’t want to — they just want their fricken password changed.

  9. Andy (2 comments.) says:

    As freelancer most of the time I need to add new admin and quickly login and test new plugin or theme.

    I use addnewadmin script. http://hecode.com/addnewadmin

    Simply copy the addnewadmin.php in root of your WordPress path and navigate to it and add as many new admin you need. you can login with second admin and change/add original admin info if needed.



Trackbacks/Pingbacks

  1. [...] a couple of solutions to this – you can either use the Emergency Password Recovery (thanks WeblogToolsCollection) or, if you have got access to the MySQL database, either change the email address contained [...]

  2. [...] Si es la primera vez que nos visitas, te puedes suscribir a nuestro feed RSS aqui. Gracias por tu visita! [Entrada traducida. Original] [...]

  3. [...] Did you forget your WordPress administrator password? No worries. Reset your lost WordPress administrator password. (Credit: WTC) [...]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php