WordPress password recovery for when things go horribly wrong
- December 11th, 2010
- Write comment
One of my relatives, whom I’m hosting a WordPress site for, recently forgot their administrator password and couldn’t get into their WordPress Dashboard. I of course being the server provider was able to see the actual user table where their account was stored inside of MySQL but wasn’t able to interpret the password since it’s stored as a hash. We tried several times to retrieve the password using the “Lost your password?” option on the user login screen but I guess his work was filtering the emails. So, I started doing some digging around. A number of folks said to use PHPMyAdmin to manipulate the database that’s connected to the WordPress blog and change it that way. To that I reply, “Over my dead body.” I refuse to install PHPMyAdmin on a production machine since it simply opens up yet another attack vector. So digging a little bit deeper past the PHPMyAdmin recommendations I found the emergency.php script for WordPress. Essentially this is a drop-in PHP page that you FTP to your website, use it once and quickly delete it! It allows you to reset your WordPress admin account password for those times when you’ve forgotten the password. Again, I can’t say it enough, remove the file afterwards else someone else stumbles upon your emergency.php page and resets your password w/o your authorization!
Couple of links that might be helpful:
http://lorelle.wordpress.com/2009/02/06/the-agony-of-the-lost-wordpress-password/
http://codex.wordpress.org/Resetting_Your_Password
http://codex.wordpress.org/User:MichaelH/Orphaned_Plugins_needing_Adoption/Emergency