Resetting the WordPress admin password is one of those tasks where the right method depends entirely on what access you still have. If you can read the recovery email, the standard “Lost your password?” link is fine. If you cannot, you need WP-CLI, a database update, or a one-shot mu-plugin instead. This guide walks through all four methods in order of easiest to most invasive, plus the supporting steps that catch people out: changing the recovery email when it is wrong, dealing with multiple admin accounts, and what to do when the password reset email never arrives.
If you cannot reach the login page at all – it redirects somewhere else, returns a 401, or just does not load – you are not in a password-reset situation. See locked out of WordPress admin: how to get back in instead, which covers the broader set of lockout causes.
Method 1: The "Lost your password?" link (easiest)#
This is the path WordPress designed for the situation. Go to
wp-login.php
, click Lost your password?, enter the username or email associated with the admin account, and WordPress emails a reset link. Click the link, set a new password, you are in.
This works as long as three things are true:
- The email address on the admin account is one you can read right now.
- Your site can actually send mail (default PHP
mail()or a configured SMTP plugin). - The reset email is not landing in your spam folder.
If any of those three conditions fail, the rest of this guide applies.
Reset email not arriving
Check spam first – WordPress’s password reset email comes from a
wordpress@yourdomain.com
address by default, which often gets filtered. If it is not in spam, the site is probably not sending mail at all, which is its own problem (see why is port 25 often blocked for the underlying reason most cheap hosts cannot send PHP mail). The fastest workaround in this scenario is to skip Method 1 and use one of the methods below that does not depend on email.
Recovery email is wrong
If the email on the admin account is an old one you cannot read, the reset link goes to the wrong inbox. You need to change the email on the account before requesting the reset – which usually means using one of the other methods to update the email field, then coming back to Method 1. The fastest path here is the WP-CLI approach in Method 3, which lets you update the email and the password in two commands.
Method 2: From another admin account (no special access needed)#
If your site has a second administrator account that you can still log into, this is the cleanest fix. Log in with the working account, go to Users > All Users, find the admin account that needs a new password, click Edit, scroll down to “Set New Password”, and click Set New Password to generate a strong one or type your own.
You can also change the email field on the same screen if it is wrong. Save, then send the new credentials to the locked-out user (or yourself).
This is not always possible – many WordPress sites have only one admin account, or every admin account is locked out. But if you have the option, it is the lowest-risk method because everything happens through the standard WordPress UI with no database edits or shell commands.
Method 3: WP-CLI (best for SSH access)#
If you have SSH access to the server, WP-CLI is the cleanest non-UI option. It updates the password through WordPress’s normal user functions, which means correct hashing, correct user_meta updates, no manual SQL.
First, list the administrators on the site so you know which username to update:
wp user list --role=administrator --fields=ID,user_login,user_emailThen update the password for the right account:
wp user update admin_username --user_pass="your_new_password"Replace
admin_username
with the actual login from the list above (or use the numeric ID instead of the username). Use a strong password – WP-CLI does not enforce complexity rules, so it is on you.
If the recovery email is also wrong, fix it in the same command:
wp user update admin_username --user_pass="your_new_password" --user_email="you@example.com"WP-CLI is the right answer when you have shell access. It avoids the risks of direct database edits and handles everything WordPress would normally handle if you had used the UI.
If you do not have WP-CLI installed but you do have SSH access, install it with the standard one-liner from the WP-CLI docs, or use Method 4 instead.
Method 4: phpMyAdmin or the MySQL CLI (database edit)#
If you have database access but no SSH or WP-CLI – common on lower-tier shared hosting plans – you can update the password directly in the
wp_users
table.
Open phpMyAdmin (or connect with the MySQL CLI), select your WordPress database, and find the
wp_users
table. The table prefix may not be
wp_
if your install uses a custom prefix – check
$table_prefix
in
wp-config.php
if you are not sure.
In the SQL tab, run:
UPDATE wp_users
SET user_pass = MD5('your_new_password')
WHERE user_login = 'admin_username';Replace
admin_username
with the actual login. Replace
'your_new_password'
with the password you want.
About the MD5 hash
You will see
MD5()
here and reasonably wonder why we are using a deprecated hash for a password. The answer is that WordPress accepts MD5 hashes specifically as a fallback for password resets like this one. The next time you log in with that password, WordPress detects the MD5 hash, rehashes it with its own (much stronger) phpass algorithm, and writes the new hash back to the database. The MD5 only exists for one login, then it is gone.
So the workflow is: run the SQL, log in immediately, and the password is silently upgraded to phpass on that first login. Do not leave the MD5 sitting in the database for days – log in right away.
If you do not see your user
If
wp_users
does not show your username, two possibilities:
- The table prefix is different. Check
wp-config.phpfor$table_prefixand use the actual prefix. - The user does not exist. Either someone deleted it, or you have been looking at the wrong site/database all along.
You can also list all users with administrator role by joining
wp_users
and
wp_usermeta
:
SELECT u.ID, u.user_login, u.user_email
FROM wp_users u
JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities'
AND m.meta_value LIKE '%administrator%';Same prefix caveat applies. This is the SQL equivalent of
wp user list --role=administrator
. More on the standard ways to inspect MySQL user state in how to show and manage MySQL users – though note that “MySQL users” there means database accounts, not WordPress accounts. For WordPress accounts you always go through
wp_users
and
wp_usermeta
.
Method 5: One-shot mu-plugin (when you only have file access)#
This is the fallback for the case where you have FTP/SFTP access to the WordPress files but no database access and no SSH. You drop a file into
wp-content/mu-plugins/
, hit any page on the site once to execute it, then delete the file.
Create
wp-content/mu-plugins/reset-password.php
:
<?php
add_action('init', function() {
$user = get_user_by('login', 'admin_username');
if ($user) {
wp_set_password('your_new_password', $user->ID);
}
});Replace
admin_username
and
your_new_password
. Visit any page on the site (the homepage is fine). The plugin runs on
init
, calls
wp_set_password()
which updates the hash through WordPress’s normal mechanism, and you can now log in with the new password.
Delete the file immediately after. If you leave it in place, every subsequent page load resets the password again, which can lock you out of your own change. Worse, if an attacker discovers the file, they can edit it to set the password to whatever they want.
This method has the same correctness guarantees as WP-CLI – it uses
wp_set_password()
which handles phpass hashing properly – but it is fiddlier than WP-CLI and riskier if you forget the cleanup step.
Which method should you use?#
| Situation | Use |
|---|---|
| Recovery email works | Method 1: “Lost your password?” link |
| Have a second admin account | Method 2: From another admin account |
| Have SSH access | Method 3: WP-CLI |
| Have database access only (phpMyAdmin) | Method 4: SQL update |
| Have file access only (FTP/SFTP) | Method 5: Mu-plugin |
In practice, if you have SSH access, always use WP-CLI. It is the cleanest, fastest, and most forgiving. SQL and mu-plugin methods are fallbacks for environments that do not give you a shell.
After you reset the password#
Two follow-up steps are worth doing immediately, whichever method you used.
Confirm there is only one admin account that should exist. Run
wp user list --role=administrator
(or the SQL equivalent above). If there are extra administrator accounts you do not recognize, that is a security signal – someone may have added themselves. The normal fix is to demote or delete unfamiliar admins, but if you have any reason to suspect a compromise, follow the full incident response in my WordPress site was hacked: what to do right now. WordPress user roles and user management covers how to audit roles and capabilities cleanly.
Update the email on the recovered account if it was wrong. This is what made the password reset hard in the first place. Whether you set it from the dashboard, in WP-CLI with
--user_email
, or in SQL with an UPDATE on
wp_users.user_email
, do not leave the wrong email in place – you will need it for the next reset.
If the lockout that prompted this reset was caused by repeated failed login attempts triggering a brute force protection lockout, the new password will not help until the lockout window expires or you clear it on the security plugin / firewall side. Same applies if your IP got rate-limited at the server level.
How Hostney handles password recovery#
On Hostney, you do not need any of these methods to reset a WordPress admin password. The control panel has a one-click WordPress login from the WordPress management page – the platform creates a short-lived authenticated session for the install and drops you straight into wp-admin without a password prompt. You then change the password from Users > Your Profile like any other admin would.
For accounts that are not the one tied to your control panel – a contributor, editor, or second administrator who lost their password – you can also use the platform’s database access (a phpMyAdmin link from the MySQL Manager page) to run the Method 4 SQL directly, or open the file manager / SSH terminal to use Method 3 or Method 5. All five methods above work on Hostney; the difference is that the most common case (the primary admin) does not need any of them.
The platform also automatically takes a WordPress snapshot before each managed update, so if a snapshot restore is what you actually need (because you forgot a password change you made yesterday and the old one was working in the snapshot), one-click restore from the Snapshots tab covers that case too.
Summary#
The fastest path to reset a WordPress admin password depends on what access you have. If the recovery email works, use the “Lost your password?” link. If you have another admin account, use it. If you have SSH access, use WP-CLI’s
wp user update --user_pass
. If you have only database access, run a SQL UPDATE setting
user_pass = MD5(...)
on
wp_users
and log in immediately to trigger the phpass rehash. If you have only file access, drop a one-shot mu-plugin that calls
wp_set_password()
and delete it after the password is set.
After any reset, audit administrator accounts, fix the recovery email if it was wrong, and check whether the situation that caused the reset was something more than a forgotten password. For broader login problems that go beyond a wrong password, see how to fix the most common WordPress errors.