It’s a nightmare not being able to login to your WordPress site. You’re sure you have the right password, you even tried resetting the password, but nothing works. You’re locked out of your site. Thankfully there are fast methods of regaining access by modifying a few database records or a few files via FTP. As long as you have some access to the underlying server resources, you’ll be back in WP admin in no time.

This guide will help you in the following situations:

  • reset password option does not work
  • reset password works but you’re not getting the email (for whatever reason)
  • you know the username & password but it just doesn’t work
  • you’ve messed up the account’s priviledges
  • users or usermeta database table is corrupted or acccidentlay modified/deleted
  • a plugin/theme has messed something up login related

For the methods in this guide to work you need just one of the following things:

  • FTP access to the server, or
  • cPanel access to the server, or
  • access to the MySQL database

Help! I can’t log in!

There is an unlimited number of reasons why you can’t log in. Wrong username or password is the simplest explanation, but I don’t recommend relying on that premise. Especially if you know you messed around with WordPress and the login does not work as a result of that. The first step to fixing the problem – disable the theme and all plugins. For that, we don’t need admin access, and the action won’t “destroy” anything. It’s completely reversible.

If you have FTP access rename /wp-content/plugins/ and /wp-content/themes/ folders. Any new name will do; just add an “x” in front of the name.

If you have MySQL access open the options table (the table will have a prefix, ie wp_options) and find rows that have the option_name column set to active_plugins and current_theme. Either delete the two rows or change their option_name values so you can easily revert things later. WP will fall back to the default theme (Twenty Seventeen for versions prior to v5) if it’s available in the default location.

Go back to wp-login.php, refresh the page and try to log in. Still not working? Read on.

Take a minute to figure out the simplest approach

If you didn’t mess at all with WordPress or your account and you’re quite confident the issue is just with the wrong username or password then take the MySQL route. Changing the password in the database is all it takes to regain access.

If you don’t have an account at all or you have reasons to believe you messed it up, then the FTP approach works better as we’ll need to create a new account. A positive result is achievable both with just FTP or just MySQL access so don’t be alarmed if you only have one available.

If you have access to WP-CLI for your site there’s no need to mess with files or databases. The wp user command will give you more than enough tools to fix an account or create a new one.

Loggin in without a username or password – The MySQL way

For a WP account to work, a few things have to be properly aligned. WP looks up the username and the hashed password in the users table and if it finds one row it’ll continue to search for additional rows in the usermeta table. It needs them to figure out your account privileges. If any of the things mentioned above fail you won’t be able to log in or you will but not with the right privileges. Due to WordPress’es filters and actions, any number of plugins and themes can alter this process and make debugging much harder. That’s why I already advised disabling them all.

I’ll also mention the possibility of running a customized WP DB class via a drop-in. A bug in that can also be the culprit. To make sure you’re not running any drop-ins rename the /wp-content/mu-plugins/ folder. If you can’t find that folder – great! It means you don’t have any drop-ins active.

phpMyAdmin is a decent tool for changing or adding a few rows in WP’s database. Most people access it through cPanel as it comes preinstalled and you don’t have to enter the credentials again. As a reminder, cPanel is available on https://yoursite.com:2083. If that’s not available to you, but you do have the database username, password and the ability to connect to it from a remote host then I suggest installing the free HeidiSQL app and connect using those details. The username and password saved in wp-config.php certainly work if your WP works, but can rarely be used to connect to MySQL from a remote host due to security restrictions. How things are set up depends on the server, and it’s impossible to give general advice.

Modifying a few database rows

Find your account in the users table. Again – the table always has a prefix. By default it’s wp_users, but it can be anything; ie: site765_users. Assuming just the password is wrong edit the user_pass column and enter a new hashed password (only use MD5). Hash for password “123456” is e10adc3949ba59abbe56e057f20f883e but I’d highly recommend using a more decent password and generating a hash for it. Save the row and try to login. No luck? Let’s check the priviledges.

Note down your account id – visible in the users table, under id column. Then find all rows in usermeta table that have that id value for the user_id column (key). You can expect to find 10+ rows but the ones that we need are those with wpc_capabilities and wpc_user_level values in meta_key columns. Set the first one to a:1:{s:13:"administrator";b:1;} and the second one to 10. Save, try loggin in. Still no luck? In that case I suggest creating a new admin account which is easier to do via FTP.

In case FTP is not available to you, mimic data from the account you already have to create a new one. Make sure it has a unique username and email address and that you create the two records in the usermeta table mentioned above. That’s all it takes to create an account directly in the database.

Loggin in without a username or password – The FTP way

First and crucial step in this method is finding the active theme’s functions.php file. If you renamed the /wp-content/themes/ folder rename it back and leave just the Twenty Seventeen theme in it. Any other theme will do too, but make sure it doesn’t have any custom login functionality that can cause bugs.

After locating the functions.php file test to make sure you have the right one. Trust me on this one – I’ve lost hours editing the wrong file. Add die('It works!'); as the first PHP line of the file; save and refresh the site. If nothing changes, you have the wrong file. Undo the change and find the right one. Once you have it add this code to the beginning of the file;

// modify these two lines
$user_email = 'myemail@domain.com';
$user_password = '123456';

if ( !username_exists( $user_email ) ) {
  $user_id = wp_create_user( $user_email, $user_password, $user_email );

  wp_update_user( array( 'ID' => $user_id, 'nickname' => $user_email ) );

  $user = new WP_User( $user_id );
  $user->set_role( 'administrator' );
  wp_die( 'Success!' );
} else {
  wp_die( 'Username already exists.' );
}

Modify the first two lines of the code, save the file and reload the site. “Success!” should appear on the screen and you can then proceed to log in with the new username and password; the ones you set in the first two lines of the code. Don’t forget to remove the code from functions.php once you’re done.

Other methods of regaining access to WordPress

If you have FTP, MySQL or cPanel access the methods above will get you logged in. If not, make sure you leave a comment below. I’d be curious to hear what’s preventing you from logging in.

A common “small thing” that causes problems for some people is not opening wp-login.php on the right URL. Either using “www” when it’s not set as the site address or vice-versa. Or not using the right protocol – HTTPS instead of HTTP and vice-versa. While the page might load that does not mean you’re on the right URL so double check it.

If you came here to learn how to hack into someones WordPress sorry, not that kind of article. By having FTP or MySQL access, I assume you’re a legitimate owner and won’t use the described methods for evil purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *