Last Updated on July 18, 2023 by Sunny Staff
Statistics suggest that more than 55% of people use plain old human memory to store and recall passwords. But, as you know, memory isn’t always reliable. It’s easy to forget bits of information we usually remember instantly – like your WP admin login – especially if you’re one of those people who, according to NordPass, have somewhere between 70 and 80 passwords. If you’ve lost access to your WordPress account, and don’t have someone with a WP admin login to your site on speed dial, the WordPress tricks in this post can help you log into WordPress in just a few minutes.
Note that WordPress passwords cannot be recovered without some serious technical expertise. That’s because the password you enter is transformed and hashed several times before being stored in the database, as explained below. The solution, therefore, is to use one of the following methods to create a new WordPress password.
What you’ll find below
- WordPress Managed Hosting Password Reset
- WordPress Password Reset Feature
- WordPress Password Reset with phpMyAdmin / MySQL
- How to Reset a WordPress Password Using WP-CLI
- How to Reset a WordPress Password Using functions.php (cPanel)
- How to change your WordPress password
- WordPress Password Security: Understanding Hashes and Salts
- WordPress Password Best Practices
- Frequently Asked Questions (FAQ): WordPress Passwords
1. WordPress Managed Hosting Password Reset
Managed WordPress hosting is the easiest and by far least technical method of resetting your password, getting your username or email address changed, or getting any other technical WordPress task completed. In most cases, all it takes is a quick call or email to get your password reset. Chances are they’ll use one of the methods described below to quickly and easily reset your password – you don’t have to lift a finger.
Also read: The Complete Guide to Choosing a WordPress Maintenance Agency
2. WordPress Password Reset Feature
If you don’t have managed WordPress hosting, your first course of action should be the WordPress Password Reset Feature located at the bottom of the WordPress login page. This page is usually located at <yourdomain.com>/wp-login.php.
Sometimes, however, domains have a custom login screen as part of their branding or as an added security measure. If this is the case, here’s what you can do:
- Paste the following URL in your browser and press enter: https://yourdomain.com/wp-login.php?action=lostpassword. Be sure to replace yourdomain.com with the correct domain.
- Or, if that doesn’t work, add the following to the end of your site’s login screen URL: ?action=lostpassword. For example https://www.yourdomain.com/login?action=lostpassword
Notice the ‘Lost your password?‘ link at the bottom of the page? Click on it to start the WordPress reset password process. You’ll be asked to enter an email address, which should be the email address you used to create the account. When you’ve entered your email address, click ‘Get New Password‘ and check your inbox for an email with a password recovery link.
3. WordPress Password Reset with phpMyAdmin/MySQL
Still can’t get your WordPress password changed? One surefire way to regain control of your WordPress account is by manually changing the password in the WordPress MySQL database.
Important: Given that this step requires work on the WordPress database, it is strongly recommended that you back up the database before you continue. |
Log into your cPanel account and find phpMyAdmin under Databases.
With phpMyAdmin open:
- Select your WordPress database from the pane on the left
- Select the wp_users table from the list of tables below the database name
- Find your username in the list of users, and click Edit
The next page reveals the individual fields within the wp_users table. Among these fields, you’ll find user_pass which is where an encrypted form of the password is stored. To change your WordPress password, do the following:
4. Select MD5 in the Function column of the user_pass field. This is how the password you create will be encrypted.
5. Next, enter a strong password in the value column of the user_pass field.
6. When you’re done, scroll down a little and click Go.
When you refresh the page, you’ll see that an MD5 hash has been applied to encrypt your password. But is that good enough? Not quite since a plain old MD5 hash can be decrypted without too much effort. Luckily, WordPress verifies proper encryption of your password when you log in, which means you’ll see your hashed MD5 string change in the database after you’ve logged into your account.
4. How to Reset a WordPress Password Using WP-CLI
The WordPress Command-Line Interface makes life a lot easier by speeding up tasks that would usually require more steps to complete from the WordPress dashboard, like resetting a password. If you have access to the WP-CLI, you can use the user update command. The command structure looks like this:
wp user update <username> --user-pass=<"password">
If you’re running more than one WordPress installation, you’ll need to add the –path switch to specify for which WordPress installation you wish to change your password:
wp --path=/var/www/mysite user update leo --user_pass="password"
Use the link above to see all options available to the user update command.
5. How to Reset a WordPress Password Using functions.php (cPanel)
Using the functions.php file to reset your WordPress password comes with the caveat that you’ll need to know your WordPress user ID. If your account was the administrator account added during WordPress installation, your user ID will likely be ‘1’. If you know your WordPress user ID, follow these steps:
1. Log into cPanel and open up the File Manager
2. With File Manager open, go to public_html > wp-content > themes > your active theme directory and right-click on functions.php and select Edit.
Important: If you do not have a recent backup of your WordPress website files, it is strongly recommended to download a copy of functions.php before editing the file. Right-click on the functions.php file and select Download. |
3. Click Edit on the Edit dialog box that appears to start editing, and add the following to the start of the functions.php file:
wp_set_password (‘a_strong_password', 1)
Here you’ll have to replace ‘a_strong_password’ with your desired (strong) password, and ‘1’ with your WordPress user ID. Remember to place single quotes around the password.
When you’re done, click Save Changes, but do not close the editor.
4. Go to your WordPress login page, or refresh if it is already open. Once the login page has loaded, go back to the editor and remove the line of code. Click Save Changes and close the editor.
(Note: If you do not remove the line of code, your password will be reset whenever functions.php is read, and you’ll be returned to the login page every time you try to log into your account.)
5. Enter your new password and log in.
How to Change Your WordPress Password
Just want to find out how to change your WordPress password? It’s an easy task that can be accomplished in a few easy steps:
1. Log into your WordPress account and navigate to Users > Profile.
2. Scroll down to Account Management and click on Set New Password.
3. Enter your new password and click Update at the bottom of the page. (See WordPress Password Best Practices below)
WordPress Password Security: Understanding Hashes and Salts
When you log into your WordPress website, the password you enter isn’t compared directly to the value of user_pass in the database. Had this been the case, every login attempt would fail, despite having the correct password. To understand this part of WordPress authentication, it’s necessary to take a look at some of the processes employed when you change your WordPress password.
WordPress employs hashing, which is a cryptographic function that turns a string of text into what appears to be a string of random characters, called a hash. There are a number of different hashing algorithms available, with MD5 being employed by WordPress.
But, since MD5 is a bit weathered and not as secure as it once was, more is needed to provide adequate password encryption to protect the credentials of WordPress users. To this end, cryptographic salts are added to passwords. A cryptographic salt is a unique piece of data that helps obscure a password. As such, even where passwords are exactly the same, cryptographic salt ensured that their hashed forms are unique.
In addition to the MD5 hashing process (which is run 8 times), WordPress also uses key and password stretching which, when your password is finally hashed and stored in the database, makes it impossible to guess.
Also read: What To Do When Your New WordPress Site Is Hacked
WordPress Password Best Practices
Back in 2012, Jeremi Gosney simulated brute-force attacks to determine the strength of several hashing algorithms. The test employed a cluster of Graphical Processing Units (GPUs) to test how long it would take to crack the MD5, SHA1, and bcrypt algorithms respectively. Here are the results:
Gosney’s system managed to perform 180 billion guesses per second on MD5 hashes. That’s quite a lot, considering that he used technology that’s a bit outdated by today’s standards. In more practical terms, it means he would be able to guess all possible 8-character passwords in just over 9 hours.
Cracking SHA1 hashes proved slightly more challenging, at 61 billion guesses per second. That’s all 8-character passwords cracked in 27 hours.
The bcrypt algorithm proved the most challenging, at roughly 71,000 guesses per second. At that rate, it would take 27 years to crack all possible 8-character passwords.
So what does that mean for your WordPress password? While WordPress still uses the MD5 hashing algorithm, WordPress passwords aren’t plain MD5 hashes. Instead, as explained above, they’re modified with salts, stretched, and hashed multiple times. This means it could potentially take a very, very long time to crack your password. But there are other cracking techniques, which underscore the importance of adhering to password best practices, such as:
- Never use a password that’s easy to guess. NordPass’s Most Common Passwords List provides examples of passwords that are easy to guess, and easy to crack. More importantly, the list illustrates the common formats or structures of weak passwords.
- Avoid outdated ‘strong password’ advice. Not too long ago, it was recommended that passwords are at least 8 characters long, include one number, an upper case letter, and a special character. Given that moderately powerful systems can make hundreds of billions of guesses a second, it’s recommended that you rather aim for a password with at least 14 characters (and not all of them letters).
- Never use the same password twice. The reasoning behind this piece of advice is simple: If one site where you have an account is compromised, your credentials can’t be used to gain access to your other online accounts.
- Don’t make a note of your password. Not on paper, not in an email, and not even in a digital voice note.
- Use two-factor authentication (2FA). Two-factor authentication refers to the practice of double authentication – once with a password, and the next by clicking a link or entering a code. A plugin like Wordfence Security (it’s free) not only helps protect your site against attacks but also provides 2FA functionality. With 2FA enabled, you have an added layer of security, even when your login credentials are compromised.
Also read: Why Site Owners Should Run Regular WordPress Security Audits
Frequently Asked Questions (FAQ): WordPress Passwords
How can I reset my WordPress password?
WordPress passwords can be reset using one of the methods listed above. The two easiest methods include making use of managed WordPress hosting and doing it yourself by using WordPress’s built-in Password Reset feature.
What is the minimum length for a WordPress password?
Without using any additional security software capable of overriding native WordPress password requirements, the minimum length for a WordPress password is 9 characters (according to our own tests). However, that minimum can change based on the strength of your password. Weak passwords will therefore have a higher minimum number of characters.
Why can’t I use a simple password in WordPress?
Nowadays, computer systems are powerful enough to run billions of password guesses a second. Threat actors will typically use dictionaries of common passwords and other phrases first to gain access to a system, which means simple passwords can be cracked in seconds. Once an attacker has access to a WordPress account, other exploits can be employed to elevate privileges in that WordPress system, and potentially even gain server access.
Does WordPress require certain types of characters in the password?
WordPress will accept only letters as a valid password. However, if the letters used make up common words or phrases the minimum password length requirement may be increased. It is always recommended to use long passwords with a combination of uppercase and lowercase letters, along with numbers and special characters.
How often should I change my WordPress password?
If the passwords you use for each site are unique, there is no need to frequently change the password of one particular account. However, if you reuse the same email address/password combination on different sites, it is recommended that you change your password at least once every three to six months. (Even then, it is recommended to adopt a ‘unique password per account’ approach.)
Can I recover my WordPress password if I forget it?
While it is technically possible to recover a WordPress password (given enough skill and time), it is much easier just to change it.
Can I use the same password for multiple WordPress sites?
You can use the same password on multiple WordPress sites, but it isn’t recommended – especially when that password is used with the same email address.
How does WordPress store and protect passwords?
WordPress stores and protects account passwords indefinitely.
Is it safe to use ‘Remember Me’ when logging into WordPress?
It is safe to use WordPress’s ‘Remember Me’ feature as long as it is not on a publicly or generally accessible system. It is strongly recommended to log out of your WordPress account if you use a public computer or terminal (e.g. internet cafe).
What is the role of hashes and salts in protecting my WordPress password?
See WordPress Password Security: Understanding Hashes and Salts.
How do I change my WordPress password directly in the database?
See WordPress Password Reset with phpMyAdmin / MySQL
What to do next
The techniques discussed above range from easy methods like using the WordPress Password Reset Feature to more technical ones such as resetting the password through phpMyAdmin or the WP-CLI. But, not everyone has the skill or time to perform technical tasks. With WordPress Website Management you get the headspace and peace of mind needed to focus on your business, while teams of experienced administrators and engineers carry the technical load. The next time you need your password reset, just ask.