Need to Change WordPress Password? These 7 Fixes Cover Every Scenario

by

7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

change wordpress password

If you need to change WordPress password access, chances are something has already gone a bit sideways.

Sometimes it is routine. You want a stronger password. You shared login access with someone and now want control back. Or you logged in on a public computer and would rather not leave that risk hanging around.

Other times, it is more stressful. The password stopped working. The reset email is nowhere to be found. Or the account details changed and now you are left wondering whether this is just a login issue or the start of a bigger security problem.

Either way, you are in the right place.

This guide shows you how to change WordPress password safely, based on what access you still have right now.

TL;DR: To change WordPress password, use wp-admin if you can log in. If you are locked out, use the lost password link or reset it with phpMyAdmin, WP-CLI, or MySQL if email recovery fails. If the change was unexpected, scan your site for malware and update all related passwords.

Before you choose a method, one important note. If you think someone else may have changed your password first, do not stop with WordPress. Change the passwords for your hosting account, cPanel, database, FTP, SSH, and email account too. 

If the site has been hacked, resetting only the WordPress login will not be enough.

Let’s start with the simplest way to change WordPress password access.

wp-admin

If you can still get into your dashboard, this is the best way to change WordPress password settings.

It is the safest method, the fastest method, and the one least likely to create a new problem while you are trying to solve the current one. This is also the right option if you are not locked out at all and simply want to update an old password, remove shared access, or tighten WordPress security.

Here’s how to go about it:

Users section on the dashboard

Log into your WordPress admin area and open the Users section from the left sidebar.

Ckick on Edit for the user

Go to All Users and open the profile for the account you want to update by clicking Edit.

Account management section

Scroll down to the Account Management section and click Set New Password so WordPress opens the password field.

Strong generated password

Use the strong password WordPress suggests, or enter your own strong password if you already use a password manager.

Send password reset link to user.png

Alternatively, Send Reset Link instead if you are updating another user’s account and want that person to choose their own password. Click Update User so WordPress saves the change properly.

If WordPress gives you a long random password, that is usually a good sign. It may not be easy to remember, but it is often far stronger than something you would come up with quickly. If you use a password manager, let it handle that burden for you. Also, if more than one person is using the same admin login, fix that after you change the password. Shared credentials nearly always come back to bite later.

If you cannot access the dashboard at all, the next method is the usual fallback.

The lost password link

This is the built-in recovery route. When it works, it is simple.

You do not need hosting access. You do not need database access. You do not need to touch site files. You just need access to the email account tied to your WordPress user.

That last part matters. This method depends on email working properly, and that is where things often go wrong.

Here’s how to go about it:

lost your password link

Open your WordPress login page by visiting your site’s wp-login.php URL in a browser. Click the Lost your password? link below the login form to open the reset page.

enter email address in password recovery page

Enter the username or email address attached to your WordPress account and submit the request. Check the inbox for that email account, and make sure to look in spam, junk, and promotions too.

Open the email, click the reset link, and create a new password on the page that follows. Return to the login screen and sign in with the new password. If the reset email does not show up, do not assume you are doing something wrong. WordPress email delivery breaks more often than people expect.

Common causes include:

  • the site is not sending email correctly
  • the email address on the account is outdated
  • a plugin is interfering with the reset process
  • the message is being filtered before it reaches your inbox

This is usually the point where readers start looking for a way to change WordPress password without email, which brings us to the database method.

phpMyAdmin

If you cannot use the email reset method, phpMyAdmin is usually the most practical way to change WordPress password access.

This method works well when:

  • you are locked out
  • the reset email is not arriving
  • the reset link is broken
  • you no longer control the old email address

phpMyAdmin lets you update the password directly in the WordPress database. That means you are going around the email flow completely.

A quick warning before you begin. Take a backup. The change itself is small, but the database is still one of the most important parts of your site.

Also, your users table may not be called wp_users. Many WordPress sites use a custom table prefix, so the actual table name may be something like abc_users.

Here’s how to go about it:

database-tables-on-phpmyadmin

Log into your hosting account and open phpMyAdmin or the database manager your host provides. On many hosts this is inside cPanel.

DB-Creds-WP-config

Choose the correct database for your WordPress site before opening any tables. If you are unsure which database belongs to the site, check the DB_NAME value in wp-config.php.

user_pass phpmyadmin

Find the users table and open it carefully. On many sites this is wp_users, but use the actual prefix your installation uses. Locate the correct user row and click Edit. Replace the value in the user_pass field with your new password, then choose MD5 from the Function dropdown. Save the row and test the new password on the WordPress login page.

That MD5 setting matters because it hashes the password when the value is saved. If you skip that part, the login will not behave the way you expect.

Three quick checks before you save; make sure you:

  • opened the right database
  • edited the right user
  • selected MD5

For many readers, this is the section that matters most because it solves the problem the built-in reset flow could not. If you prefer terminal access, though, the next method may be quicker.

WP-CLI

If you already use SSH and terminal access, WP-CLI is one of the fastest ways to change WordPress password access.

It is clean, direct, and avoids manual database editing. If command line tools are already part of how you manage your site, this method feels much lighter than clicking around inside phpMyAdmin.

Here’s how to go about it:

Connect to your server over SSH using your server username and public IP address: ssh [username]@[ipaddress]

Move into the directory where WordPress is installed so WP-CLI targets the right site: cd /[pathtowordpress]/

List the WordPress users on that site so you can confirm the right account and user ID: wp user list

Identify the correct user ID before running the password update command.

Update the password for that account using WP-CLI: wp user update [user_id] --user_pass=[new_password]

Test the new password by logging back into WordPress once the command completes.

If your password contains special characters, wrap it in quotes so your shell does not misread it.

wp user update 1 --user_pass='NewStrongPassword!2026'

Also, make sure you are in the correct WordPress directory before running the command. On servers with more than one WordPress site, this is an easy mistake to make. If you are not sure where WordPress is installed, check your wp-config.php file or review the WordPress file structure.

If WP-CLI is not installed, or if you want to work directly with SQL, the MySQL command line method gives you that control.

MySQL Command Line

This is the command-line version of phpMyAdmin. You connect to the database directly and update the password with SQL.

It is not the first method we would suggest to most site owners, but if you are comfortable with terminal work, it is a perfectly valid way to change WordPress password access without relying on email or the dashboard.

Here’s how to go about it:

Connect to your server over SSH and open a terminal session with access to MySQL: ssh [username]@[ipaddress]

Log into MySQL using the database username for your WordPress site: mysql -u [dbusername] -p

Select the correct WordPress database before running any queries: use [database_name];

Check which users table belongs to the site if you are unsure about the table prefix: show tables LIKE '%users';

List the user accounts so you can confirm the username or ID you want to update: SELECT ID, user_login, user_pass FROM wp_users;

Update the password for the correct account using either the username or user ID: 

UPDATE wp_users SET user_pass=MD5('new-unencrypted-password') WHERE user_login='[username]';

Or

UPDATE wp_users SET user_pass=MD5('new-unencrypted-password') WHERE ID='[userID]';

Confirm the row was updated before exiting MySQL: SELECT ID, user_login, user_pass FROM wp_users WHERE user_login='[username]';

Exit MySQL and test the new password on your WordPress login page: exit;

One detail matters a lot here. wp_users is the users table name, not the database name. If your site uses a custom prefix, replace wp_users with the correct table name in every query.

If all of this feels too close to the engine, that is fair. phpMyAdmin is easier for most readers. But if database access is not practical and you only have file access, there is still one last-resort option.

Emergency Password Reset Script

This method exists for rough cases. The ones where the usual recovery routes are unavailable, but you can still reach the site files. If you need to change WordPress password access and all you have is FTP, SFTP, or File Manager, the emergency reset script can help. If you are not sure how to reach your site files, start with how to access WordPress files.

📝 Note: You are placing a live reset script on your server. If you leave it there after the password is changed, someone else could find it and use it too. That is why we strongly suggest you backup your WordPress site before you begin, even if this feels like a quick fix.

Here’s how to go about it carefully:

Create a new text file on your computer and paste the password reset script into it exactly as shown below:

<?php

require './wp-blog-header.php';

function meh()

{

global $wpdb;

if (isset($_POST['update']))

{

$user_login = (empty($_POST['e-name']) ? '' : sanitize_user($_POST['e-name']));

$user_pass = (empty($_POST['e-pass']) ? '' : $_POST['e-pass']);

$answer = (empty($user_login) ? '<div id="message" class="updated fade"><p><strong>The user name field is empty.</strong></p></div>' : '');

$answer .= (empty($user_pass) ? '<div id="message" class="updated fade"><p><strong>The password field is empty.</strong></p></div>' : '');

if ($user_login != $wpdb->get_var("SELECT user_login FROM $wpdb->users WHERE ID = '1' LIMIT 1"))

{

$answer .= "<div id='message' class='updated fade'><p><strong>That is not the correct administrator username.</strong></p></div>";

}

if (empty($answer))

{

$wpdb->query("UPDATE $wpdb->users SET user_pass = MD5('$user_pass'), user_activation_key = '' WHERE user_login = '$user_login'");

$plaintext_pass = $user_pass;

$message = __('Someone, hopefully you, has reset the Administrator password for your WordPress blog. Details follow:') . "\r\n";

$message .= sprintf(__('Username: %s') , $user_login) . "\r\n";

$message .= sprintf(__('Password: %s') , $plaintext_pass) . "\r\n";

@wp_mail(get_option('admin_email') , sprintf(__('[%s] Your WordPress administrator password has been changed!') , get_option('blogname')) , $message);

$answer = "<div id='message' class='updated fade'><p><strong>Your password has been successfully changed</strong></p><p><strong>An e-mail with this information has been dispatched to the WordPress blog administrator</strong></p><p><strong>You should now delete this file off your server. DO NOT LEAVE IT UP FOR SOMEONE ELSE TO FIND!</strong></p></div>";

}

}

return empty($answer) ? false : $answer;

}

$answer = meh(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>WordPress Emergency PassWord Reset</title> <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" /> <link rel="stylesheet" rel="noopener" target="_blank" href="<?php bloginfo('wpurl'); ?>/wp-admin/wp-admin.css?version=<?php bloginfo('version'); ?>" type="text/css" /> </head> <body> <div class="wrap"> <form method="post" action=""> <h2>WordPress Emergency PassWord Reset</h2> <p><strong>Your use of this script is at your sole risk. All code is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness. Further, I shall not be liable for any damages you may sustain by using this script, whether direct, indirect, special, incidental or consequential.</strong></p> <p>This script is intended to be used as <strong>a last resort</strong> by WordPress administrators that are unable to access the database. Usage of this script requires that you know the Administrator's user name for the WordPress install. (For most installs, that is going to be "admin" without the quotes.)</p> <?php echo $answer; ?> <p class="submit"><input type="submit" name="update" value="Update Options" /></p> <fieldset class="options"> <legend>WordPress Administrator</legend> <label><?php _e('Enter Username:') ?><br /> <input type="text" name="e-name" id="e-name" class="input" value="<?php echo attribute_escape(stripslashes($_POST['e-name'])); ?>" size="20" tabindex="10" /></label> </fieldset> <fieldset class="options"> <legend>Password</legend> <label><?php _e('Enter New Password:') ?><br /> <input type="text" name="e-pass" id="e-pass" class="input" value="<?php echo attribute_escape(stripslashes($_POST['e-pass'])); ?>" size="25" tabindex="20" /></label> </fieldset> <p class="submit"><input type="submit" name="update" value="Update Options" /></p> </form> </div> </body> </html> <?php exit; ?>

Save the file as emergency.php so it is easy to upload and easy to delete later.

FTP

Connect to your site through FTP, SFTP, or File Manager and open the root folder of the WordPress installation. This is often public_html, but the name can vary. Upload emergency.php into that root folder.

uploading the file to root folder

Open your browser and visit yourdomain.com/emergency.php so the reset form loads.

Enter the administrator username and your new password, then submit the form.

Log back into WordPress using the new password. Delete emergency.php from the server immediately after the reset works.

That last step is not optional. Delete the file right away.

Also, this method only works if you know the admin username. You do not need email access for the reset to work, but you do need the correct administrator login name.

There is one more file-based route people ask about. It works, but it is easier to mishandle.

FTP

This method uses the wp_set_password() function inside a PHP file on your site.

It can help you change WordPress password access if you have file access but cannot use the usual recovery options. 

📝 Note: This comes with a catch. If you forget to remove the code after you log in, WordPress will keep forcing the password change behavior on page load.

So yes, this method works. It just needs careful cleanup. Before you begin, ensure you have a backup of your site in place.

Here’s how to go about it:

Connect to your server using FTP, SFTP, or your host’s File Manager and open the WordPress installation folder.

Open wp-content and then open the folder for the active theme on your site. Open functions.php in a text editor and add the following line immediately after the opening PHP tag: wp_set_password( 'password', 3 ); Replace password with your new password and 3 with the correct user ID.

Save the file, upload it back to the theme folder, and overwrite the original version. Log into WordPress with the new password you just set.

Remove that line from functions.php immediately after login works and upload the cleaned file again.

A few warnings here are worth taking seriously:

  • make sure the user ID is correct
  • do not leave the code in place after the reset
  • be careful not to break the PHP syntax
  • if you are uneasy editing theme files, use phpMyAdmin instead

For most readers, FTP is not the first or best way to change WordPress password access. It is simply one more route when other routes are not available.

Troubleshooting 

Even when you use the right method, password resets do not always go cleanly.

Sometimes the email never arrives. Sometimes the new password saves but the login still fails. Sometimes the password changed without your approval, which is the point where this stops feeling like maintenance and starts feeling like a security issue.

Let’s go through the common problems.

  • Not receiving password reset emails: Check spam, junk, and promotions first. If the email still is not there, your site may not be sending email correctly. That is common on some hosts. If you need access now, use phpMyAdmin, WP-CLI, or MySQL Command Line instead. Once you regain access, it is worth setting up an SMTP plugin so WordPress email has a more reliable delivery path.
  • Changing the password isn’t working: If you manage to change WordPress password settings but still cannot log in, the password may not be the real problem. A plugin conflictor theme conflict can interfere with login flow. Custom login plugins, membership tools, and some caching setups are common troublemakers. If you can access the site another way, disable plugins and switch to a default theme temporarily. Then test the login again.
  • Password changed suddenly or without authorization: Treat this like a security incident. If the password or account email changed without your approval, scan the site for malware, clean it if needed, and change every related password you can think of. Not just WordPress. Hosting, FTP, SSH, database, cPanel, and email too. This is also where a firewall matters. A stronger password helps, but it does not stop bots from hammering your login page. 

📝 Note: MalCare helps with malware scanning, cleanup, firewall protection, and brute force blocking, which is exactly the kind of layer you want after a scare like this.

  • Reset password link is not working: Sometimes the link expires. Sometimes the email client breaks the URL. Sometimes a plugin or security rule blocks the reset flow. Try one fresh reset request. If the new link still fails, move on to phpMyAdmin. It is usually quicker than wrestling with a broken email path while you are locked out.
  • Can’t remember the username: Try your email address on the reset screen first. If that does not work, check the users table in the database. phpMyAdmin is often the fastest place to confirm the correct username.

Best practices after you change WordPress password

Once you manage to change WordPress password access, do not treat that as the last step.

A password update solves the immediate problem. It does not fix the habits that made the problem likely in the first place.

Here is what we recommend after you reset or change your WordPress password.

  • Use a unique password for WordPress and nowhere else. Reusing passwords turns one breach into several very quickly.
  • Use a password manager to store and generate strong passwords. This makes secure passwords much easier to live with.
  • Create separate user accounts for teammates, developers, or temporary collaborators instead of sharing a single admin login.
  • Do not save passwords in browsers on shared devices or public computers. If you logged in somewhere you do not trust, change the password when you get back to your own device.
  • Use long passwords with uppercase letters, lowercase letters, numbers, and symbols. Twelve characters is a good minimum. Longer is better.
  • Avoid using names, birthdays, site names, or anything easy to guess.
  • Add login protection and a firewall, not just a stronger password. Passwords matter, but login security is broader than the password alone.

Parting thoughts

If you came here trying to change WordPress password access after getting locked out, we hope you are back in now.

If you came here because you wanted to tighten security before anything went wrong, even better. That kind of small maintenance never feels urgent until the day it suddenly does.

When you need to change WordPress password access, start with the least invasive method that fits your situation.

And if the whole thing felt a little off from the start, trust that instinct. Sometimes a password problem is just a password problem. Sometimes it is the first clue that somebody else has been somewhere they should not have been.

FAQs

How do I change WordPress password on localhost?

Open phpMyAdmin at http://localhost/phpmyadmin/, select your WordPress database, open the wp_users table, edit the correct user row, replace the user_pass value, choose MD5 from the Function dropdown, and save.

What is my WordPress admin password?

It is the password you created during installation or updated later. If you cannot remember it, use the Lost your password? link or change WordPress password access through the database.

Can I change WordPress password from cPanel?

Yes. Open phpMyAdmin from cPanel, select the correct database, open the users table, and update the user_pass field for the right user.

How to reset password from phpMyAdmin?

Open phpMyAdmin, select your WordPress database, open the users table, edit the right user row, replace the user_pass value, choose MD5 in the Function column, and save.

How to reset my username and password?

Passwords can be changed from wp-admin, the lost password page, phpMyAdmin, WP-CLI, or MySQL. Usernames are separate. The safest route is often to create a new admin account with the correct username and remove the old one later.

Category:

You may also like


How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.