Technical guide on resetting a lost WordPress administrator password using direct MySQL/MariaDB queries. Learn the MD5 hashing requirement and SQL syntax for emergency access.
Resetting the WordPress Administrator Password Directly via MySQL Query
If you have lost access to your WordPress administrator account and the email recovery system is non-functional (e.g., due to a broken SMTP configuration), you can force a password reset via the database. This method requires access to your Hovixa VPS terminal and utilizes the mysql command-line client to modify the wp_users table directly.
1. Identifying the Correct Database
Before executing a query, you must identify the database name and the table prefix used by your installation. You can find these details in your wp-config.php file.
grep -E 'DB_NAME|table_prefix' wp-config.php
2. Understanding WordPress Password Hashing
WordPress historically uses MD5 hashing for passwords within the user_pass field of the database. When you manually update the password via SQL, you must wrap the new string in the MD5() function. Upon your first successful login, WordPress will automatically "re-hash" this into a more secure, modern portable hash.
3. Executing the Update Query
Log in to your MySQL/MariaDB prompt and execute the following commands. Replace your_new_password and admin_username with your actual values.
# 1. Access the MySQL shell
mysql -u root -p
# 2. Select your WordPress database
USE your_database_name;
# 3. Execute the update (assuming 'wp_' is your prefix)
UPDATE wp_users SET user_pass = MD5('your_new_password') WHERE user_login = 'admin_username';
Note: If you do not know the exact username, run SELECT user_login FROM wp_users; first to list all registered accounts.
4. Quick-Reference Query Table
| Objective | SQL Syntax Snippet |
|---|---|
| Update Password | SET user_pass = MD5('pass') |
| Change Admin Email | SET user_email = '[email protected]' |
| Find User ID | SELECT ID, user_login FROM wp_users; |
| Reset URL | UPDATE wp_options SET option_value = '...' WHERE option_name = 'siteurl'; |
5. Technical Implementation Details
- Caching Latency: If you use an object cache like Redis or Memcached on your Hovixa VPS, the old password hash might remain in memory. After running the SQL query, flush your cache using
redis-cli flushallorwp cache flushvia WP-CLI. - Salt Security: Direct MD5 injection is an emergency measure. Once logged in, it is best practice to change the password again via the WordPress Profile page to ensure it is salted and hashed using the phpass library.
- Table Prefixes: Many security plugins change the default
wp_prefix to something random (e.g.,hvxa_99_). Always verify the table name usingSHOW TABLES;before running anUPDATEquery to avoid "Table not found" errors.
Sysadmin Advice: If you have WP-CLI installed, use wp user update [ID] --user_pass="new_password" instead. It is safer, handles the hashing automatically, and clears relevant caches without needing to write raw SQL.
