There are numerous reasons to change your WordPress password. Maybe you’re worried that a hacker has changed your username and password, and you’re locked out of your site. It’s also possible that you just want to create a stronger password. Maybe you had shared your login credentials and now want sole control over your website’s dashboard. You may also want to improve website security if you have logged into your admin panel on a public computer.
Whatever your reason, strengthening your WordPress password is a key component of login security. This article covers every method to change your WordPress password depending on whether you have access to your login email, forgotten your password, or even if the password reset link isn’t working.
TL;DR: The easiest way to change your password is to edit your user details on wp-admin. If you are locked out, use the lost password link on wp-login.php. If you can’t access your email either, change your password directly from the wp_users table of your database. Once you have secured your password, take other steps for login security with MalCare. MalCare limits login attempts and blocks brute force attacks with its powerful firewall for WordPress sites.
In today’s digital age, the significance of strong passwords cannot be emphasized enough. Using a weak password for your online accounts is like leaving your car unlocked with the keys in the ignition—it’s an open invitation for potential trouble. In fact, passwords are so integral to security that it is one of the first things you should do when you recover your site after a hack.
Depending on what access you currently have available, you will need to choose the method accordingly.
If you can login to your admin panel, you can use the admin panel dashboard
If you can’t login to the dashboard but have access to the associated email ID, use the lost password link.
If you need to change the password without email access, you have a few options: make the change from the database, WP-CLI, or the MySQL command line.
When all else fails, use the Emergency Password script. However, this method will only work for admin users.
This article specifically focuses on the importance and process of changing your WordPress admin password. However, it’s important to note that in the event of a security breach, we strongly recommend that you also change the passwords to your cPanel, hosting, database, FTP, and SSH accounts, depending on which apply. Taking a comprehensive approach to password security is essential to safeguarding your website.
Remember though, password security is only one half of login security. The other half is blocking bad bots, like brute force attack bots, which hammer login pages. The only way to prevent your site from succumbing to these attacks is to install a firewall, like MalCare.
Change the password from wp-admin
The wp-admin panel dashboard is the simplest interface for changing your password, and the one we recommend using as far as possible.
However, unlike the other methods in this article, this one needs you to login to your dashboard. By signing into your admin panel, you can access the user settings and update your password effortlessly.
Log into your wp-admin panel.
Click Users in the sidebar and click All Users.
Hover over the right user and click Edit.
Scroll down to the click Set New Password.
Type a new password in the field below or use the strong password that WordPress generates.
If you’re an admin, you can also click Send Reset Link so that a different user can change their password.
Click Update Profile when you’re done.
Use the lost password link when locked out
The lost password link is visible on the wp-login page, and works exactly like similar links on thousands of websites. Use it to reset your password via your registered email and regain access to your WordPress account.
However, you will need to know which email ID is associated with the username in question, and furthermore be able to access it.
Go to the WordPress login page by entering your website’s URL followed by /wp-login.php (e.g., www.yourwebsite.com/wp-login.php).
Locate the Lost your password? link below the regular login form. It is usually placed right under the login button. Click to initiate the password recovery process.
You will be redirected to the password recovery page, where you need to enter your username or email address associated with your WordPress account.
Type in your username or email address into the provided input field.
Click on Get New Password button to request a password reset email.
WordPress will now send an email to the email address associated with your account.
Check your email inbox for the password reset email from WordPress.
Click on the password reset link provided. Check your spam folder if you don’t see it in your inbox. (If you have trouble receiving this email or clicking on the link, skip to the troubleshooting section below.)
You will be taken to a password reset page on your website.
Enter your new password into the password input field. Click Reset Password. If everything goes well, you should see a confirmation message indicating that your password has been successfully reset.
Go back to the WordPress login page and log in with your newly reset password.
Use phpMyAdmin to change passwords
The next best method is changing your WordPress password using the phpMyAdmin tool. Use this method when you don’t have access to your email account, or you are not receiving the reset emails.
This method involves accessing the site database directly and making edits. We strongly recommend taking a backup of your site before tinkering with the database. It is a core component of your site, and the smallest misstep and your site could easily become irretrievable.
Note: At some point, a developer may have changed the database prefix from wp_ to something else. Accordingly, the users table you need to find will have the same prefix.
Additionally, while the process itself remains fundamentally similar, it’s important to note that the first few steps might vary slightly based on your hosting platform and the database manager.
For instance, if you’re using Cloudways—which doesn’t use cPanel or Plesk—you can access the database using the Access Details section.
Log in to your Cloudways account.
Select the appropriate server from the list of servers associated with your account.
Once you’re on the server management page, locate the Access Details section.
Click Launch Database Manager.
Locate the specific database associated with your WordPress site and select it.
Within the database, you will find a list of tables. Look for the table named wp_users. Click Edit.
Then change the password in the user_pass field.
These are the steps involved in changing your WordPress password using phpMyAdmin from cPanel on Bluehost:
Log in to your Bluehost account.
Click on the Advanced tab on the top menu and you will be able to see the cPanel.
In the cPanel dashboard, locate the Database button and click it.
You will be redirected to your databases and see a list of databases on the left-hand side. Locate and select the database associated with your WordPress installation. Once you’ve selected the correct database, you will be presented with a list of tables within that database.
Look for the table named wp_users or an equivalent that ends with _users. Click on it to view the table contents.
Find your username and click Edit.
Locate the user_pass field, which stores the hashed password. Remove the existing password and enter the new one.
Click Save when you’re done.
Use WP-CLI to change a user’s WordPress password
WP-CLI stands for WordPress Command Line Interface. It is a powerful command-line tool specifically designed for managing WordPress installations. WP-CLI allows users to perform various administrative and maintenance tasks for WordPress from the command line, making it easier and more efficient to manage multiple sites and perform repetitive tasks.
Here are the steps to use the command line:
If you have a Windows or Linux computer, it is simple to install WP-CLI. However, on newer versions of MacBooks, you may run into issues like we did. We needed to install Xcode, Homebrew and php to make WP-CLI work at all.
Launch the terminal or command prompt on your operating system.
Connect to your server using the following code:
Replace [username] and [ipaddress] with your own username and the public IP address of your site. When prompted, enter your password.
Navigate to the WordPress directory using the following code:
Replace [pathtowordpress] with the actual path to the root folder of your WordPress installation. Some common root folder names are: root, public_html, and www.
Type the following code to see your user list:
$ wp user list
This will help you find the correct user ID.
Use the following command to change the password for a WordPress user:
$ wp user update [user_id] –user_pass=[new_password]
Replace [user_id] with the ID of the user and [new_password] with the new password.
You’re all done. You can confirm whether the password change was successful by attempting to log in to the WordPress admin with the new password.
Use MySQL Command Line to change a WordPress password
MySQL is a database management system used by WordPress to store and retrieve data. By accessing the MySQL database directly from the command line, you can change a user’s password without needing to log into WordPress. This is a command line alternative to phpMyAdmin’s graphical user interface, and the logic is the same.
To get started, you will first need to access your server’s command line interface. This can be done through a terminal or SSH connection, depending on your hosting environment. If you’re familiar with using the command line, here are the steps we used on a MacOS terminal:
Launch the terminal on your computer, and connect to your server using SSH:
Replace [username] and [ipaddress] with your own username and the public IP address of your site. When prompted, enter your password.
Next, log in to MySQL by executing the following command:
mysql -u [dbusername] -p
Replace [dbusername] with the username you use to log into your database. If you are not sure what this is, you can check the wp-config.php file for this information.
Enter your database password when prompted and press Enter to proceed.
Next step is to choose the WordPress database. You can do this by using the following command to select your WordPress database:
Replace [database_name] with the actual name of your WordPress database. You can find the database name in the wp-config.php file. It will be a value called DB_NAME.
Next, show all the users on your site. Use the following command to do so:
show tables LIKE ‘%users’;
This will help you find the users table. If you are using a default WordPress installation, the table will be wp_users.
Find the user ID, username, and current password of the users in the database by using the following command:
SELECT ID, user_login, user_pass FROM [database_name];
Make sure to replace [database_name] with the actual database name.
Change the password for a specific user with the following command:
UPDATE wp_users SET user_pass = (‘[new_password]’) WHERE user_login = ‘[username]’;
UPDATE wp_users SET user_pass = (‘[new_password]’) WHERE ID = ‘[userID]’;
Ensure that you replace [username] or [userID] with the username or ID for which you want to change the password, and [new_password] with your new password.
Double check that the password has been changed using the following command:
SELECT ID, user_login, user_pass FROM [database_name] WHERE user_login = ‘[username]’;
Make sure to replace [database_name] and [username] with the actual values.
You’re all set. You can now exit the command line using Control and D or typing exit.
Use the Emergency Password Reset Script to change admin’s WordPress password
In drastic situations where all other methods have failed or you are completely locked out of your WordPress site, there is an emergency password reset script available as a last resort option. It is essential to note that this method should only be used when there are no other viable options to regain access to your admin account.
Before proceeding with this method, it is crucial to emphasize the importance of having a recent backup of your website. This ensures that you can restore your site to its previous state if anything goes wrong during the process.
You will need FTP/SFTP or access to File Manager, if you have cPanel. Essentially, you need access to your site files and directories. In the steps below, we are using Cyberduck as our SFTP client, however the process is similar regardless of how you are able to gain access to your site.
Open a new text file on your computer, and paste the following code in it:
$user_login = (empty($_POST[‘e-name’]) ? ” : sanitize_user($_POST[‘e-name’]));
$user_pass = (empty($_POST[‘e-pass’]) ? ” : $_POST[‘e-pass’]);
$answer = (empty($user_login) ? ‘<div id=”message” class=”updated fade”><p><strong>The user name field is empty.</strong></p></div>’ : ”);
$answer .= (empty($user_pass) ? ‘<div id=”message” class=”updated fade”><p><strong>The password field is empty.</strong></p></div>’ : ”);
if ($user_login != $wpdb->get_var(“SELECT user_login FROM $wpdb->users WHERE ID = ‘1’ LIMIT 1”))
$answer .= “<div id=’message’ class=’updated fade’><p><strong>That is not the correct administrator username.</strong></p></div>”;
$wpdb->query(“UPDATE $wpdb->users SET user_pass = MD5(‘$user_pass’), user_activation_key = ” WHERE user_login = ‘$user_login'”);
$plaintext_pass = $user_pass;
$message = __(‘Someone, hopefully you, has reset the Administrator password for your WordPress blog. Details follow:’) . “rn”;
$message .= sprintf(__(‘Username: %s’) , $user_login) . “rn”;
$message .= sprintf(__(‘Password: %s’) , $plaintext_pass) . “rn”;
@wp_mail(get_option(‘admin_email’) , sprintf(__(‘[%s] Your WordPress administrator password has been changed!’) , get_option(‘blogname’)) , $message);
$answer = “<div id=’message’ class=’updated fade’><p><strong>Your password has been successfully changed</strong></p><p><strong>An e-mail with this information has been dispatched to the WordPress blog administrator</strong></p><p><strong>You should now delete this file off your server. DO NOT LEAVE IT UP FOR SOMEONE ELSE TO FIND!</strong></p></div>”;
return empty($answer) ? false : $answer;
$answer = meh(); ?> <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”> <html xmlns=”http://www.w3.org/1999/xhtml”> <head> <title>WordPress Emergency PassWord Reset</title> <meta http-equiv=”Content-Type” content=”<?php bloginfo(‘html_type’); ?>; charset=<?php bloginfo(‘charset’); ?>” /> <link rel=”stylesheet” rel=”noopener” target=”_blank” href=”<?php bloginfo(‘wpurl’); ?>/wp-admin/wp-admin.css?version=<?php bloginfo(‘version’); ?>” type=”text/css” /> </head> <body> <div class=”wrap”> <form method=”post” action=””> <h2>WordPress Emergency PassWord Reset</h2> <p><strong>Your use of this script is at your sole risk. All code is provided “as -is”, without any warranty, whether express or implied, of its accuracy, completeness. Further, I shall not be liable for any damages you may sustain by using this script, whether direct, indirect, special, incidental or consequential.</strong></p> <p>This script is intended to be used as <strong>a last resort</strong> by WordPress administrators that are unable to access the database. Usage of this script requires that you know the Administrator’s user name for the WordPress install. (For most installs, that is going to be “admin” without the quotes.)</p> <?php echo $answer; ?> <p class=”submit”><input type=”submit” name=”update” value=”Update Options” /></p> <fieldset class=”options”> <legend>WordPress Administrator</legend> <label><?php _e(‘Enter Username:’) ?><br /> <input type=”text” name=”e-name” id=”e-name” class=”input” value=”<?php echo attribute_escape(stripslashes($_POST[‘e-name’])); ?>” size=”20″ tabindex=”10″ /></label> </fieldset> <fieldset class=”options”> <legend>Password</legend> <label><?php _e(‘Enter New Password:’) ?><br /> <input type=”text” name=”e-pass” id=”e-pass” class=”input” value=”<?php echo attribute_escape(stripslashes($_POST[‘e-pass’])); ?>” size=”25″ tabindex=”20″ /></label> </fieldset> <p class=”submit”><input type=”submit” name=”update” value=”Update Options” /></p> </form> </div> </body> </html> <?php exit; ?>
Save this file as emergency.php.
Launch Cyberduck and click on the Open Connection.
Choose the appropriate protocol (FTP or SFTP) and add your FTP/SFTP username and password in the respective fields. If you’re unsure about these credentials, consult your hosting provider or refer to your hosting account information.
Click on Connect to establish a connection with your server.
Then open your root folder. In our case, it is called public_html.
Upload the file to the root folder.
Next, open a browser, and navigate to the following URL: yoursite.com/emergency.php
Replace “yoursite.com” with your own domain.
Add the administrator’s username and create a new password.
Click Update Options.
You will now get an email about your password having been changed.
As a final step, go back to your FTP/SFTP client and delete the emergency.php file.
Note: This method only works to change the administrator’s password. While the admin gets an email, the password will be changed regardless. So, you don’t need email access, but you do need to know the admin username. Please note this is an absolute last-ditch, Hail Mary solution. Use with caution, because even though the inputs are sanitized to the best of everyone’s ability, there may be loopholes—also known as vulnerabilities—in the script.
Use FTP to change the WordPress user’s password
When it comes to changing a WordPress password, another method involves utilizing the wp_set_password function. This method is typically used by plugin developers, and we strongly recommend NOT using it. We’re including it here for the sake of comprehensiveness, but advise extreme caution.
It’s important to note that this approach involves modifying core files and using the pluggable function wp_set_password. It was meant for developers to override default settings with plugin functionality.
The function was also strictly designed to be single use. If you don’t delete the code after you’ve logged in again, you will be sent on a loop. The password you added in the function will be loaded every time a page is loaded. So the logged in user will keep being sent back to the login page.
As such, we highly recommend you create a backup of your site before proceeding. This ensures that you can restore your site in case issues arise during any process. But backups are especially important when using this method.
You will need to use either File Manager on cPanel or a FTP/SFTP client to access your site files. You will also need the User ID. You can find the UserID using the database or MySQL command line. If you don’t have access to one or the other, we’d recommend against using this method.
We used Cyberduck to access our files and here are the steps:
Download and install Cyberduck, which is available for both macOS and Windows.
Launch Cyberduck and click on the Open Connection button in the top of the window.
In the window that pops up, select FTP/SFTP from the drop down menu.
Then, add the username, password and public IP address in the appropriate fields. This information is on your hosting site’s account.
Click on the Connect button to establish the connection with your server.
Once connected, you will see the remote server files on the Cyberduck interface. Click public_html. This is the root folder for our test site. The root folder may be called something else on your site.
Then, locate and navigate to the wp-content folder.
Find and locate the folder of the currently active theme on your WordPress site.
Within the theme folder, look for the functions.php file.
Download the file and open it in a text editor. Add the code at the beginning, after <?php tag:
function wp_set_password(password, 3 );
Replace 3 with the user ID number.
Save and upload the file back onto your server. Click Overwrite in the window that pops up.
Now try to login with your new password. Be careful to copy the password as is. Be sensitive to spaces and casing.
Once you’re done, delete the piece of code the same way you installed it.
Having trouble with your WordPress password can be frustrating, but don’t worry! In this section, we will explore common password-related issues that users encounter and provide troubleshooting steps to help you regain access to your WordPress account.
Not receiving password reset emails: Often they can be found in your spam or promotions folder. If not, reach out to your host and ask why you’re not getting any emails from WordPress. Sometimes the email could be on a blocked domain list, and will need resolution from your email service provider.
Changing the password isn’t working: You’re able to change the password on the WordPress dashboard but when you try to login with the new password, an error message is triggered. This could be because of a theme or plugin conflict, especially if you are using security plugins like iThemes Security. We recommend you disable all your themes and plugins. Revert to one of the default themes. If the problem disappears, enable each theme and plugin one by one till you find the problematic one.
Password changed suddenly or without authorization: This is possibly because your site has been hacked. We recommend you scan your WordPress site for malware, clear the malware and install a firewall. MalCare does all of that and more in minutes. Then, once your site is malware-free, change all your passwords.
Reset password link is not working: If the reset password link isn’t working, you can use other methods like changing the password on your database with phpMyAdmin.
No longer have access to your associated email ID: In this case, you won’t be able to use the reset link. So, you will have to change the password with other methods like modifying the database directly via phpMyAdmin or MySQL command line.
Can’t remember the username: If you can’t remember the username, you can still change your password with the lost password link. Just add your email ID instead of the username. If this doesn’t work, change the password using the database.
Best practises for WordPress passwords
Protecting your WordPress site starts with implementing strong password practices. By following these best practices, you can enhance the security of your WordPress site and reduce the risk of unauthorized access or hacking attempts.
When sharing credentials with team members or contacting developers, create a new user that you can delete later on, instead of sharing passwords.
Use a password manager for generating, storing, and securely managing strong, unique passwords for your WordPress site.
Don’t use the same password twice; even across different accounts on different products or sites. If one account is hacked, your password is added to a rainbow file and used to try other services. One of those services could be your site, so no reusing passwords.
Avoid sharing your WordPress password with anyone, including colleagues, friends, or family members.
Don’t save your passwords in a browser or select the Remember Me option on the login page.
Use security plugins such as MalCare to add an extra layer of protection to your WordPress site. MalCare implements strong login security measures, like limiting login attempts, to prevent brute force attacks from breaching your site.
Use strong passwords which follow the following rules:
Contain a combination of capital and lowercase letters
Contains numbers, and special characters
Is a minimum length of 12 characters or more
Avoids using easily guessable information such as names, birthdates, or common phrases.
While ensuring strong password security is crucial, it is essential to acknowledge that it alone is not enough to guarantee complete website security. The most effective approach is to use a security plugin such as MalCare.
MalCare goes beyond password protection and login security, and provides comprehensive security features to safeguard your WordPress site. It has features like daily malware scanning, firewall protection, brute force attack prevention, and much more. By leveraging the capabilities of a security plugin, you can strengthen your site’s overall security and protect it from potential threats.
How do I reset my WordPress password on localhost?
To reset your WordPress password locally, you need access the WordPress database and manually update the password for your user. To do this, you can use a tool like phpMyAdmin, which allows you to interact with your database. Go to http://localhost/phpmyadmin/
Login with your MySQL username and password. Find the specific user in the `wp_users` table and update the `user_pass` field with the new password hash generated using an MD5 hash or a stronger algorithm.
What is my WordPress admin password?
Your WordPress admin password is the password you chose during the installation process or that you have set subsequently. If you’ve forgotten your password, you can use the “Lost your password?” link on the WordPress login page to initiate a password reset via email.
Can I change WordPress password from cPanel?
Yes, you can change your WordPress password from cPanel using the phpMyAdmin tool. Navigate to the phpMyAdmin interface, locate your WordPress database, and access the `wp_users` table. Update the `user_pass` field for the desired user with the new password.
Cannot login to the website and don’t have a password reset link.
If you’re not able to use an email address to get a password reset link, change the password on your database. Find the wp_users table and change user_pass to a new one.
How to reset password from phpMyAdmin?
Use the phpMyAdmin tool to access the database. Then, navigate to the wp_users table and change the user_pass.
How to reset my username and password?
Usernames can be changed by either creating a new user, using a plugin like Easy Username Updater, or changing the username in the database.
To change passwords, the easiest method is to use the WordPress dashboard once you login to wp-admin. If you can’t login, use the lost password link on the login page. This will redirect you to a page where you send a reset password link to your email.
You can also change both username and password with phpMyAdmin. Go to the wp_users table and edit the user’s password and username.
Can you change the user’s password?
Yes. Go to the All Users page on your admin panel. Then, hover over one of the users and click Edit. Change the password and click Update Profile.
Somebody changed the password and email to my website. What to do?
You’ve probably been hacked. First, use MalCare to scan, clean, and protect your site from any malware. After that, change all your passwords to a stronger one.
WordPress not sending reset links.
Reach out to your hosting provider to find out why you aren’t receiving emails from WordPress. You can also change your password using either your database.
The post Change Your WordPress Password: 7 Tried-and-Tested Ways appeared first on MalCare.