“WordPress password reset doesn’t work”
There’s various articles and tutorials on the web explaining how to reset your WordPress password using different methods (email, ftp, emergency scripts, mysql, phpmydamin).
Unfortunately a large portion of them, particularly the ones using mysql and phpmyadmin to reset the wordpress password will not work. Or rather – they will work but there is a catch and since these write-ups do not mention this – they will very likely NOT work. In particular the WordPress Codex page on resetting your password, which is what google places as top result when searching for phrases like “wordpress reset password” will NOT work, not out fo the box anyway.
What’s the catch?
Well, for starters, a great deal of these posts are old and assuming that WP stores the password’s MD5 hash. This has long been changed and now the passwords are encrypted using Portable PHP password hashing framework which means they use with hash+salt and are stored in base64. If you have access to mysql or phpmyadmin and can examine the contents of your WP DB you can easily verify this: look in table <prefix>_users (where prefix is usually ‘wp’ by default so often this table will be called ‘wp_users’). The passwords are stored in column ‘user_pass’. If the passwords start with $P$B and do not look like a HEX string this is your brand new ‘salted’ base64 password, thank you very much, and you won’t be able to use MD5 to permanently store your new password there. And the ‘catch’ here is ‘permanently’.
Even though pure MD5-hashed passwords are no longer used in wpress, it will recognize an MD5 password and will accept it. Once. This means that you can use it to log in once and then you will need to reset your password again using the wp-admin panel (‘Profile’ –> ‘New password’).
Unfortunately the above procedure does not always work. Why? We will explain below why, and also – how we can MAKE IT WORK š !
Firstly let’s examine the process and try and identify the source of the problem. The process is as follows:
- You use mysql’s ‘MD5’ function to encrypt your plain-text password and to store it in the user_pass field;
- You point your browser to www.yoursite.com/wp-admin and try to login
- It worked! (woo-hoo, you’re done!)Ā … OR … It did not work š
If you are one of the unhappy “It does not work” herd then read on:
As usual, attention to detail saves the day ;). If we examine step 2 closely we will notice that upon entering the wp-admin URL we are actually redirected to another location, that looks something like this:
http://www.yoursite.com/wp-login.php?redirect_to=http://www.yoursite.com/homedir-yoursite/wp-admin/&reauth=1
And that is what messes things up for us. Yes, WP will accept your MD5 password.. once.. and then change it to the salted base64 version (after it had let you in). The problem we’re facing is that using the URL we were redirected to will CHANGE the password to base64 FIRST and THEN try to LOG US IN! And that of course does not work š
The fix? Simply enter the URL yoursite.com/wp-login.php (not wp-admin!) in your browser and login there. Using that page will not change your password and you will happily log into your admin panel where you will have to change your password again to make sure the correctly salted and base64-encoded password ends up in your DB and athat you can seamlessly login in the future! Of course yoursite.com needs to be replaced by the name of your actual domain š
– – –
Also,Ā if you have access to your DB, you could simply look up the email used for that particular user, change it to one of your emails if necessary and request a new password in the email. But that’s wouldn’t be as much fun, right? š
2 Responses to “WordPress password reset doesn’t work”
Leave a Reply Cancel reply
-
Categories
- Android Development
- Bash
- C programming
- dpkg/apt-get
- drupal
- Emacs
- Git
- Java
- Linux administration
- Linux device drivers
- Linux Gaming
- Linux kernel
- Linux Networking
- Linux on Windows
- Linux printing
- Linux sound and ALSA
- Package Managers
- Programming
- RPM
- Shell and environment
- Tips and tricks
- Uncategorized
- VirtualBox
- Virtualization
- web development
- wine
- WMaker
- Wordpress Tips
- X Window System
- XFCE
-
Articles
- August 2020
- August 2019
- May 2019
- July 2017
- February 2017
- January 2017
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- April 2016
- March 2016
- December 2015
- November 2015
- September 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- October 2014
- February 2014
- January 2014
- November 2013
- October 2013
- June 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- October 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- September 2011
- August 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
-
Meta
Cloud
audio bash boot compile C programming cups drupal emacs etc Fedora git grep how to httpd init kernel libc linux linux partition localtime login make mount mp3 mysql networking oracle package managers password phpMyAdmin programming rpm shell sql vbox version control system virtual box vm web server wordpress www xargs xfce xwin yum
.. btw it seems that logging into WP from the wp-admin URL does not work anymore.. or perhaps it does not work after the password-reset… so just use wp-login instead from now on
It didn’t work. I’m still locked out. I need help. I can’t reset my password, and so my hoster reset it for me. But it won’t recognize the password change.
The people at wordpress.org are useless. They’re not even reading what I’m writing, and they’re sending standard stuff that isn’t what I’m dealing with. And they’re not even looking at the programming to see what’s wrong.
They’re wasting time I don’t have, as the launch date for my website is literally in less than a week, and I still have things to do.
Help!