“WordPress password reset doesn’t work”

There’s various articles and tutorials on the web explaining how to reset your WordPress password using different methods (email, ftp, emergency scripts, mysql, phpmydamin).

Unfortunately a large portion of them, particularly the ones using mysql and phpmyadmin to reset the wordpress password will not work. Or rather – they will work but there is a catch and since these write-ups do not mention this – they will very likely NOT work. In particular the WordPress Codex page on resetting your password, which is what google places as top result when searching for phrases like “wordpress reset password” will NOT work, not out fo the box anyway.

What’s the catch?

Well, for starters, a great deal of these posts are old and assuming that WP stores the password’s MD5 hash. This has long been changed and now the passwords are encrypted using Portable PHP password hashing framework which means they use with hash+salt and are stored in base64. If you have access to mysql or phpmyadmin and can examine the contents of your WP DB you can easily verify this: look in table <prefix>_users (where prefix is usually ‘wp’ by default so often this table will be called ‘wp_users’). The passwords are stored in column ‘user_pass’. If the passwords start with $P$B and do not look like a HEX string this is your brand new ‘salted’ base64 password, thank you very much, and you won’t be able to use MD5 to permanently store your new password there. And the ‘catch’ here is ‘permanently’.

Even though pure MD5-hashed passwords are no longer used in wpress, it will recognize an MD5 password and will accept it. Once. This means that you can use it to log in once and then you will need to reset your password again using the wp-admin panel (‘Profile’ –> ‘New password’).

Unfortunately the above procedure does not always work. Why? We will explain below why, and also – how we can MAKE IT WORK 😉 !

Firstly let’s examine the process and try and identify the source of the problem. The process is as follows:

1. You use mysql’s ‘MD5’ function to encrypt your plain-text password and to store it in the user_pass field;
2. You point your browser to www.yoursite.com/wp-admin and try to login
3. It worked! (woo-hoo, you’re done!)  … OR … It did not work 🙁

If you are one of the unhappy “It does not work” herd then read on:

As usual, attention to detail saves the day ;). If we examine step 2 closely we will notice that upon entering the wp-admin URL we are actually redirected to another location, that looks something like this:

http://www.yoursite.com/wp-login.php?redirect_to=http://www.yoursite.com/homedir-yoursite/wp-admin/&reauth=1

And that is what messes things up for us. Yes, WP will accept your MD5 password.. once.. and then change it to the salted base64 version (after it had let you in). The problem we’re facing is that using the URL we were redirected to will CHANGE the password to base64 FIRST and THEN try to LOG US IN! And that of course does not work 🙂

The fix? Simply enter the URL yoursite.com/wp-login.php (not wp-admin!) in your browser and login there. Using that page will not change your password and you will happily log into your admin panel where you will have to change your password again to make sure the correctly salted and base64-encoded password ends up in your DB and athat you can seamlessly login in the future! Of course yoursite.com needs to be replaced by the name of your actual domain 🙂

– – –

Also,  if you have access to your DB, you could simply look up the email used for that particular user, change it to one of your emails if necessary and request a new password in the email. But that’s wouldn’t be as much fun, right? 😉