Not being able to log into the backend of your WordPress website can be a nerve-racking experience, whether you can’t remember your password or no longer have access to your recovery email address.
Fortunately, there are different methods that you can use to change, reset, or recover your WordPress password. In this article, we’ll explain the importance of strong password security and the difference between changing and resetting it. Then we’ll share eight methods you can use to restore or reset your WordPress password and offer some additional security tips. Let’s get started!
An introduction to WordPress password security
Before we get into the logistics of changing and resetting your password, it might help to first understand a little bit about WordPress password security.
WordPress is the most popular CMS (content management system) in the world. Unfortunately, this popularity makes the platform a common target for hackers. One of the most popular methods hackers use to break into WordPress websites is by using bots to guess passwords.
Over the years, WordPress has taken a number of steps toward advancing its password security practices:
- In 2013, it added a password strength indicator during account setup.
- In 2014, it began destroying existing sessions once someone logged out of their site.
- In 2015, it introduced a feature to help users generate strong passwords.
A recent report by NordPass reveals the 200 most common passwords and how quickly they take to guess (most are less than a second). Weak passwords can pose a host of security threats to websites, which is why the WordPress security team implements a variety of password fortification features.
The WordPress CMS manages user login information and authentication cookies on the server-side. It also leverages a permission system to limit access to sensitive data and information, including personal user information like email addresses. With that said, users should still follow security guidelines when creating passwords.
The importance of creating strong passwords
One of the ways WordPress has always aimed to defend against cyberattacks is by encouraging site owners to use strong passwords. WordPress asks you to take the following steps when setting passwords:
- Make them long (ten to 50 characters)
- Include numbers, uppercase and lowercase letters, and special characters (@, #, *, etc.)
- Change passwords every four months
Creating hard-to-guess passwords is an effective way to minimize your risk of brute force attacks — when nefarious agents use botnets to generate thousands of possible username/password combinations until they gain entry into your site.
When brute force attacks are successful, hackers can steal your data and modify your site code. They can also affect your website’s performance and cause your server to run out of memory.
Having to change or reset your password can be frustrating. However, the ultimate goal is to help safeguard your website and data.
The difference between changing and resetting your password
There’s a difference between changing and resetting your password. While both methods have the same outcome (a new password), the process for each one varies.
Changing your password is something you can do yourself and usually quite quickly, assuming you have access to your profile settings. You can also change your password when you know what your current one is.
Resetting your password is what you do when you don’t know what your password is, usually because you forgot it. It’s not something you can do yourself, but instead have to ask the system or an administrator to handle that task for you.
If you are the administrator, you might be able to reset the password yourself. You can also do this for users who have forgotten their passwords and don’t have admin access.
How to reset your WordPress password
Now that we’ve covered the difference between changing and resetting your passwords, it’s time to show you how to go about it. Below are eight methods you can use to reset or restore your WordPress password:
1. Use the WordPress password login reset link
One of the quickest and easiest ways to reset your password is to use the Lost your password? link that is displayed on the WordPress login screen. Note that you’ll need to have access to your admin email account to use this method.
First, navigate to your website login page. You can find it at “https://[yourdomainname].com/wp-admin”. Of course, you’ll need to replace “[yourdomainname]” with your own.
Once you’re on the login screen, you can locate the reset password link at the bottom of the form.
After you click on the link, it will ask you to enter your WordPress username or email address.
When you’re ready, click on the Get New Password button. Assuming you entered the correct information, a password reset link will be sent to your email address. You can use this link to reset your WordPress password.
2. Submit an assisted account recovery request
It’s possible that you may not have access to the email address that you used to create your WordPress user account. If this is the case and you’re using WordPress.com, you could try the Account Recovery Form.
This form will ask you to provide some information about your account, including:
- Email address or username
- Website URL
- Proof of ownership
When you’re done filling it out, you can submit it by clicking on the Recover my account! button at the bottom of the form. Once submitted, one of WordPress.com’s Happiness Engineers will contact you about the next steps.
3. Ask another admin user to edit your profile
WordPress users with administrator permissions can change passwords for other users. So, if you have other administrators on your site, they can change your password for you.
Or you can ask another administrator to edit your profile and send you a reset link. To send a password reset link, you can navigate to Users → All Users from your dashboard. On this screen, you can click on the Send password reset link listed under the username.
Alternatively, you can click on the Edit link. The option to reset or change the password will be located under the Account Management section.
4. Reset your WordPress website password through phpMyAdmin and the MySQL database
Another way you can change or reset your password is by going through cPanel and using phpMyAdmin. This is one of the solutions that you can use if you can’t remember or access your admin email to obtain the reset link that we discussed in the first method.
The exact process can vary a little depending on which hosting provider you use. We recommend reaching out to your host for specific instructions or assistance if needed.
Also, note that this method involves accessing and editing your site’s database files. WordPress uses your MySQL database to store the necessary data for running your site, including your credentials.
It’s not the most beginner-friendly option and should only be used if you have experience working with your database. We also recommend backing up your database before resetting your password. That way, if anything goes wrong, you’ll have a recent version to restore.
To get started, log into your cPanel account (or hosting control panel). Then, from the dashboard, click on the phpMyAdmin option under the Databases section.
Once you log into your phpMyAdmin account, you’ll see a list of databases to your left. Click on your WordPress database. Next, locate the wp_users row and select the Browse icon to the right.
This will bring you to a new screen that lists all registered users on your WordPress site. Locate the username that you want to change the password for, then click on Edit.
On the next screen, browse to the user_pass section. Next to it, you’ll find a complex string of letters and numbers.
Select and delete this encrypted password and replace it with the new password. Next, click on MD5 from the dropdown menu. This setting encrypts the password for you.
When you’re done, you can save your changes by clicking on the Go button at the bottom of the page. You should now be able to log into your WordPress admin using your new password.
Changing your password through MySQL
There’s another place you can go to reset your password in phpMyAdmin. This method involves using an SQL statement to run a query.
To try this method, click on the SQL tab at the top of the screen. Within the text field, you can enter the following (as long as you have the username):
UPDATE `wp_users` SET `user_pass` = MD5( ‘new_password’ ) WHERE `wp_users`.`user_login` = “admin_username”;
Make sure that you replace the “new_password” and “admin_username” values with your own.
When you’re done, click on the Go button.
5. Use File Transfer Protocol (FTP)
If you don’t have access to your site through cPanel, you can also use a File Transfer Protocol (FTP) client like FileZilla to connect to your website and reset your password. Note that this process involves editing your site’s functions.php file. Be sure to back up your site before making any changes!
You’ll also need your FTP credentials in order to connect to your site. You can find this information within your hosting account. If you’re unsure of where to locate it, you can check with your host’s documentation.
Here’s what you’ll need to connect to your website via FTP:
Once you connect to your website via FTP, navigate to the root directory of your website (public_html), then to your themes folder (wp-content → themes). Open the folder of your current theme (e.g., twentytwentyone), then look for the functions.php file, right-click on it, and select Download.
Within the text editor of your choice, you’ll need to make some changes to the code in this file. You’ll either need to add or edit the following line of code:
edit the wp_set_password
Next, you want to set it as:
wp_set_password (‘password, 1’)
In this example, “password” is the sample new password, but you can change it to whatever you want. The “1” refers to the WordPress user’s ID number.
When you’re done, save the file, then re-upload it to your theme’s folder via FTP. You should now be able to log into your WordPress site.
There’s one more thing to do. You need to undo the changes that you made to the file. You can do this by re-downloading the functions.php file, removing the line of code, then uploading it again.
6. Go through cPanel
If your hosting provider uses cPanel, there’s another method you can use to reset your password that doesn’t involve phpMyAdmin. This tactic should work if you used an auto-installer in cPanel to install WordPress but don’t have access to your admin email.
Note that this method only works for resetting admin passwords. To get started, log into cPanel and navigate to WordPress Manager.
Depending on which web host you use, it’s possible you’ll need to do this via the Softaculous Apps Installer. On the next screen, scroll down to find the installation that you want to reset your password for and click on the pencil icon.
Next, navigate to the Admin Password field under the Admin Account section.
Enter the new password that you want to use and save your changes. Now you can return to your WordPress login screen to see if your new password works.
7. Reset your WordPress password using WP-CLI
If you’re an experienced WordPress user and are familiar with WP-CLI (and have access to it), you can also change or reset any of your users’ passwords with this method. WP-CLI is a command-line tool that developers can use to manage a variety of WordPress tasks.
This includes adding and removing users, troubleshooting issues, and resetting passwords. Essentially, the purpose is to help the workflow efficiency of developers.
If you haven’t heard of it or don’t have development experience, this probably isn’t the best method for you to attempt. On the other hand, if you feel comfortable working with command-line tools, it could be a quick and effective way to reset your password.
To begin, access your site via WP-CLI, then navigate to the root directory of your site. Next, use the following command to obtain a list of users:
wp user list
Locate the user you want to change the password for and make a note of the user ID. Admin user IDs are “1”, so we’ll use that as an example. You can replace that value with the associated ID.
Next, enter the following command:
wp user update 1 --user_pass=password
Instead of “password,” enter what you want the new password to be. That’s it!
8. Add an emergency password reset script
If you’re still unable to recover or reset your WordPress password, there’s one more method you can try. This can be a risky option, so we only recommend using it as a last resort.
Also, note that you’ll need the website’s administrator email and password. This means that if you’re not the admin, you’ll need to request it from them.
This method involves creating a PHP file from a pre-written script and adding it to your website. You can locate and copy this emergency password reset script from the WordPress Codex.
Once you’ve copied the script, open a new file in the text editor of your choice and name it emergency.php. Then, paste the entire script within the file.
Next, update the values of the script so that they match your admin credentials and save the file. Now, you’ll need to either connect to your site via FTP or through your hosting control panel, and upload the file to your site’s root directory.
You can open a new browser tab and go to “https://[yourdomainname].com/emergency.php”. You’ll be asked to enter your admin username before creating a new password.
When you’re done, select Update Options. A confirmation email will be sent to the administrator email with the new password. Now you should be able to log into your WordPress site.
As with the functions.php file, you’re not officially done until you delete the emergency.php file from your server. Otherwise, it can introduce a security threat.
Tips for troubleshooting common password reset issues
Unfortunately, the process of resetting or recovering your WordPress password may not be a smooth one. There are a handful of possible issues that you might run into.
The good news is that most problems have pretty simple fixes. Let’s take a look at some of the most common ones.
What should I do if I reset my password but WordPress doesn’t recognize it?
If you recently changed your password but WordPress doesn’t recognize it, then it might be saving an old password that you don’t remember. Try deleting the password if it’s auto-populated in the form when you enter your username. Then, type in your new password. You might also want to try clearing your browser cache.
What should I do if my site breaks after resetting the password via phpMyAdmin?
Editing your database files can be risky. If something goes wrong in the process, it can cause your site to break, which can be incredibly scary. This is why we always recommend backing up your WordPress site before editing any files.
If after resetting your password via phpMyAdmin you’re unable to see your login screen, it’s probably best to backtrack your steps. First, return to phpMyAdmin to ensure that you carefully followed the instructions and correctly entered all of the information.
If this doesn’t work, we recommend restoring your site from a backup. Then you can attempt another method for resetting the password.
What should I do if my site breaks after using FTP to reset my password?
Similar to phpMyAdmin, resetting your password via FTP involves directly editing a site file. First, go back to FTP and make sure that you made the changes to your current theme’s functions.php file, rather than another theme’s file.
When you’re sure you’re editing the correct file, review the information to make sure you entered it correctly. If this still doesn’t work, you can delete that theme’s folder and redownload it from WordPress.
What should I do if I tried to reset my password but never got an email with a reset link?
The WordPress password reset emails are automated, so there’s a chance that it may have wound up in your spam folder. If not, make sure that you’re accessing the correct email associated with your admin account.
If you’re unsure of the email or no longer have access to it, you’ll have to use a different method to restore your WordPress password. There are several solutions you can try, including going through cPanel, using FTP, or submitting an Assisted Account Recovery request form to WordPress.
How to change your WordPress password
Perhaps you already know your existing password and have full access to your WordPress admin dashboard. If that’s the case, you can easily change your WordPress password. This is something that we recommend doing every few months for security purposes.
To do so, log into your admin dashboard. Next, navigate to Users → Profile. Then, under the Account Management section, you can select the Set New Password button.
Once you click this button, WordPress will automatically generate a new password for you. You can choose to keep this one or customize it.
It’s important to make sure your password is as strong as possible, which we’ll discuss in a moment. When you’re done, you can click on the Update Profile button at the bottom of the screen to save your changes.
Tips for changing your password and ensuring it’s secure
The login credentials that you use to access your WordPress site are the first layer of protection. However, there are both active and passive measures that you can take to safeguard your site. Let’s take a look at some tips you can use.
1. Choose a strong, complex, and unique password
Throughout this post, we’ve mentioned the importance of ensuring that any new password you set for your WordPress website is strong and secure.
When creating or changing a password, it’s essential to make it as complex and difficult to guess as possible. This means using a random combination of letters (upper and lowercase), numbers, and special characters (#,@,!*, etc.). Your password should be somewhere between 10 and 50 characters.
While these types of passwords are not the easiest to remember, they’re the most difficult for hackers to crack. It’s also smart to ensure that the password you use for your WordPress account is not the same one you use for other accounts.
2. Use a password generator and manager tool
To generate a complex, strong password, we recommend using a password generator tool. For example, you can use WordPress’ built-in feature. You can use other tools, like LastPass, which can also help you store and remember difficult passwords.
These tools can help organize your login credentials and make them readily available. This way, you can minimize the likelihood of having to go through the process of resetting or restoring your WordPress password when you can’t remember it.
3. Change your password frequently (and keep it to yourself)
Another important aspect of exercising strong password security is making sure you periodically change it. We recommend updating it every couple of months.
While this may seem like a pain, it can go a long way in keeping your site safe. Plus, it becomes easier to do when you’re using a password manager.
It’s also important to make sure that you don’t share your passwords with other users or parties. Using repeat passwords across multiple accounts can make you more susceptible to attacks.
If a cybercriminal knows your email address and password to your website, they can use this information to log into other online accounts that you have, like your banking apps. Creating different passwords for each individual account can help contain or limit the damage.
Fortunately, WordPress makes it easy to not only change your password but to auto-generate a complex one as well. You can do so on your WordPress user profile screen. Just remember to change it every couple of months.
If you have a site maintenance process, it’s a smart idea to incorporate this task as a necessary step in the checklist. That way, you’re less likely to forget to do it.
4. Implement two-factor authentication (2FA)
Even if you have a solid and complex password, your site may still be susceptible to brute force attacks. To add an additional layer of security, we recommend implementing two-factor authentication (2FA).
When you enable this feature, WordPress will ask you to submit two forms of identity verification in order to access your site. In addition to knowing the password, the user must also be able to verify their identity using a second method, like a mobile device or external app. WordPress will send a time-sensitive code to your phone, which will help you complete the login process.
Thankfully, Jetpack offers two-factor authentication for WordPress at no cost.
5. Limit login attempts
Another way to prevent brute force attacks is to limit login attempts on your WordPress site. This will only allow the user a certain number of failed attempts before locking them out of the site for a set amount of time.
Limiting login attempts on your WordPress site can help you spot and block suspicious activity. To add this feature to your site, you can use a plugin like WP Limit Login Attempts.
Once you install it, you can customize the settings by navigating to Settings → WP Limit Login from your dashboard. Then you can choose a login attempt limit, the lockdown time in minutes, and whether to enable a reCAPTCHA.
6. Strengthen your security using Jetpack
At this point, we’ve mentioned a few strategies for securing your password and the tools that you can use to accomplish individual functionality. To further protect your site, we recommend using a complete WordPress security solution like Jetpack.
Rather than relying on a handful of plugins, it’s wise to use a service that can help you handle all aspects of your website’s security. Let’s say someone gained access to your site using an insecure password. In this case, you can use Jetpack’s security features to restore and recover your WordPress website.
Jetpack includes various features and tools that can help you keep your website safe, including:
- Brute force attack protection
- Web application firewall (WAF)
- Two-factor authentication
- Real-time backups
- Automated malware scanning
- Downtime monitoring
- Automatic plugin updates
Jetpack’s one of the most widely-used plugins for a reason: it’s a reliable, effective, all-in-one solution that has great support. Built by the team behind WordPress.com, it integrates seamlessly with most major plugins and themes.
Frequently asked questions about WordPress passwords
At this point, you hopefully have a solid understanding of WordPress password security and how to reset and change your passwords. Let’s wrap up with a few frequently asked questions.
Where can I find my WordPress username and password?
If you don’t know your username and password, you’ll need to know the email address that you used to set up your WordPress site. Then, you can click on the reset link on the login form page to have the information sent to you.
If you’re already logged into the back end of your site but simply want to save this information for future use, you can locate your username by navigating to Users → Profile. If you scroll down, you can see your username listed under the Name section. It also tells you the email address that’s on your account. While this screen won’t tell you your current password, you should be able to easily reset it when you have your username and email.
How do I reset my password without email access?
You can use a couple of methods to reset your WordPress password when you don’t know your admin email. You can use FTP, phpMyAdmin, or cPanel. If you don’t want to edit any site files, you can submit an Assisted Account Recovery form (for WordPress.com) or ask an admin user to reset it for you.
Can I change another user’s password?
If you’re an admin user, you can change the password of any other user on your site. When logged in, navigate to Users → All Users and find the one you want to edit. Then, scroll down to the Account Management section and click Set New Password. You can either stick with the one WordPress generates or set your own. Finally, click the Update User button.
Or, in that same section, you can send a password reset link to the user’s email so they can update their own password.
Passwords: a cornerstone of WordPress site management
There’s a lot of work involved in running a safe WordPress site. This includes creating secure passwords. However, it’s not uncommon to forget your login credentials or run into an issue that prevents you from changing your password through the admin dashboard.
As we discussed in this article, there are eight methods you can use to reset or restore your WordPress password. From using the Lost password link on the login screen to editing your site’s functions.php file, there’s a solution for every situation. Just remember to choose a strong, complex password and follow security best practices to help safeguard your site.