How to Recover Your WordPress Account


7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

Recovering access to a WordPress account can be incredibly frustrating. Perhaps you’ve changed developers and the new one can’t access wp-admin. Or someone has been careless and lost their credentials, the password reset link isn’t working, and you can’t log in, no matter what you have tried. 

The good thing is, it’s possible. We’ve tried a bunch of ways to reset your wp-admin password and put together some methods that you will find helpful. We’ve got your back and you’ll be on your admin dashboard in a few minutes. 

TL;DR: If you’re struggling with the password reset link, reset the password via cPanel. If a security plugin is locking you out, deactivate it and then try to regain access. When all else fails, deploy the emergency password reset script to reclaim your login credentials swiftly.

Let’s start by figuring out what you have on hand. Do you know your login information, or can you get into the email that’s linked to your WordPress site? Maybe you have access to your web hosting panel. Knowing what you have will help us know where to begin. Depending on what you have on hand, choose one of the methods we discuss in this article.

Before starting the account recovery, try these quick checks:

  1. Welcome email: Revisit the initial email from your web host. It often includes vital info like database, phpMyAdmin, or FTP credentials.
  2. Web host account: Log in there to look for FTP details, cPanel access, or the database manager—these can be lifesavers.
  3. Spam inbox: Sometimes, your password recovery emails get mistakenly flagged. A quick peek into your email’s spam folder might be helpful.

If your email is working

If you have forgotten your WordPress account password, the Lost Password feature provides a simple way to reset it. Follow these steps to change your password and recover access to your account:

  1. Access the WordPress login page: Go to your WordPress website’s login screen, which is typically found by adding `/wp-admin` or `/wp-login.php` at the end of your site’s URL. For instance:

  1. Use the lost password link: Beneath the login box, you will see a link that says “Lost your password?” Click on this link to initiate the password recovery process.
  1. Enter your email address: You will be redirected to a page where you can enter the username or email address associated with your WordPress account. After filling in the necessary field, click the Get New Password button.
  1. Check your email: WordPress will send an email to the address associated with your username. This email contains a link to reset your password. Check your inbox (and the spam/junk folder just in case) for this email. It may take a few minutes to arrive.
  2. Follow the password reset link: Once you receive the email, open it and click on the link provided. This link will take you to a special page on your WordPress site where you can set a new password. After you’ve chosen your new password, click on the “Reset Password” button to save it.
  3. Log in to your account: Try to log in to your account now to regain access to your admin panel. 

If you can access your database

If you’ve forgotten your username (or your email isn’t receiving the password reset link), the best option is to identify the username and change the username in the database. In our case, we use phpMyAdmin, and here’s a straightforward, step-by-step guide to help you through it:

  1. Access phpMyAdmin: Log into your web hosting control panel, commonly known as cPanel. Look for a section named Databases and find an icon labeled phpMyAdmin. Click on phpMyAdmin to open it. This is the database management tool where you can find all your WordPress database information.
  1. Select your WordPress database: Once inside phpMyAdmin, select the database from the sidebar.
  1. Find the users table: Inside your WordPress database, look for the table ending with _users, usually called wp_users. Click on the wp_users table to see the list of users for your WordPress site.
  1. Find the username: Browse the user list and find your exact admin username. 
  1. Reset the password: If you want to edit the password, click the Edit button next to your username.

Look for the user_pass field. This is where your password is stored. In the Value column, delete the existing series of characters. Type in your new desired password.

Very important: From the drop-down menu, select MD5 to ensure your password is encrypted for security.

  1. Save changes: Scroll down and click the Go button to save your new password. Now you can go back to your WordPress login page and try logging in with your new password.

If you’re being locked out by a security plugin

Encountering a lockout from your WordPress site can be frustrating, particularly if it’s caused by a well-intentioned security plugin, like a 2FA plugin that’s mistaking you for a threat. Fortunately, you can deactivate the troublesome plugin using one of three methods: SSH, cPanel, or FTP. 

  1. Deactivate plugin via cPanel
  1. Log into your cPanel dashboard and navigate to the File Manager.
  2. Find your WordPress installation directory and go to wp-content/plugins.
  3. Locate the folder for the security plugin that’s locking you out and rename it. 
  1. Deactivate the plugin via FTP 
  1. Connect to your server using an FTP client, like FileZilla.
  2. Navigate to the wp-content/plugins directory.
  3. Find the folder of the plugin causing the issues and rename it, just like in the cPanel method.

C. Deactivate the plugin via WP-CLI

  1. Install WP-CLI: If you have a Windows or Linux computer,  you can easily install WP-CLI. However, on newer versions of MacBooks, you may run into issues like we did. We needed to install Xcode, Homebrew and php to make WP-CLI work at all. It was time consuming to do so and we do not recommend this method unless you already have WP-CLI installed. 
  2. Connect to your server: 

Open the terminal and use the following to connect to your server:

Replace "username" with your actual SSH username and "" with your website's domain
  1. Enter your password when prompted.
  2. Once logged in, navigate to the directory where WordPress is installed. This is commonly within the public_html or www directory. Use this command: 
cd path/to/wordpress/directory

The exact path will depend on your hosting setup.

  1. Before you can disable the plugin, you need to know its folder name. You can list all the installed plugins and their statuses with:
wp plugin list
  1. Deactivate the plugin by renaming it with the command: 
mv securityplugin securityplugin_deactivated

Replace securityplugin with the name of the plugin’s folder

After deactivating the plugin, you should regain access to your WordPress admin area. You should be able to log in, as normal. 

Pro tip: If you’re now in the market for a new security solution that’s robust yet user-friendly, consider installing MalCare. It’s designed to maximize security without locking out administrators, allowing for hassle-free management of your website’s defenses.

If nothing else works

If the other two methods for regaining access to your WordPress admin account have failed, there’s an alternative measure known as the emergency password reset script. This should be used only as a last resort, as it involves placing a script file that can reset your admin password directly on the server.

  1. Create the script: Open a plain text editor (like Notepad or TextEdit) and create a new file named emergency.php first. Copy and paste the following code into the file:

require './wp-blog-header.php';

function meh()


    global $wpdb;

    if (isset($_POST['update']))


        $user_login = (empty($_POST['e-name']) ? '' : sanitize_user($_POST['e-name']));

        $user_pass = (empty($_POST['e-pass']) ? '' : $_POST['e-pass']);

        $answer = (empty($user_login) ? '<div id="message" class="updated fade"><p><strong>The user name field is empty.</strong></p></div>' : '');

        $answer .= (empty($user_pass) ? '<div id="message" class="updated fade"><p><strong>The password field is empty.</strong></p></div>' : '');

        if ($user_login != $wpdb->get_var("SELECT user_login FROM $wpdb->users WHERE ID = '1' LIMIT 1"))


            $answer .= "<div id='message' class='updated fade'><p><strong>That is not the correct administrator username.</strong></p></div>";


        if (empty($answer))


            $wpdb->query("UPDATE $wpdb->users SET user_pass = MD5('$user_pass'), user_activation_key = '' WHERE user_login = '$user_login'");

            $plaintext_pass = $user_pass;

            $message = __('Someone, hopefully you, has reset the Administrator password for your WordPress blog. Details follow:') . "\r\n";

            $message .= sprintf(__('Username: %s') , $user_login) . "\r\n";

            $message .= sprintf(__('Password: %s') , $plaintext_pass) . "\r\n";

            @wp_mail(get_option('admin_email') , sprintf(__('[%s] Your WordPress administrator password has been changed!') , get_option('blogname')) , $message);

            $answer = "<div id='message' class='updated fade'><p><strong>Your password has been successfully changed</strong></p><p><strong>An email with this information has been dispatched to the WordPress blog administrator</strong></p><p><strong>You should now delete this file off your server. DO NOT LEAVE IT UP FOR SOMEONE ELSE TO FIND!</strong></p></div>";



    return empty($answer) ? false : $answer;


$answer = meh(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ""> <html xmlns=""> <head> <title>WordPress Emergency PassWord Reset</title> <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" /> <link rel="stylesheet" rel="noopener" target="_blank" href="<?php bloginfo('wpurl'); ?>/wp-admin/wp-admin.css?version=<?php bloginfo('version'); ?>" type="text/css" /> </head> <body> <div class="wrap"> <form method="post" action=""> <h2>WordPress Emergency PassWord Reset</h2> <p><strong>Your use of this script is at your sole risk. All code is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness. Further, I shall not be liable for any damages you may sustain by using this script, whether direct, indirect, special, incidental or consequential.</strong></p> <p>This script is intended to be used as <strong>a last resort</strong> by WordPress administrators that are unable to access the database. Usage of this script requires that you know the Administrator's user name for the WordPress install. (For most installs, that is going to be "admin" without the quotes.)</p> <?php echo $answer; ?> <p class="submit"><input type="submit" name="update" value="Update Options" /></p> <fieldset class="options"> <legend>WordPress Administrator</legend> <label><?php _e('Enter Username:') ?><br /> <input type="text" name="e-name" id="e-name" class="input" value="<?php echo attribute_escape(stripslashes($_POST['e-name'])); ?>" size="20" tabindex="10" /></label> </fieldset> <fieldset class="options"> <legend>Password</legend> <label><?php _e('Enter New Password:') ?><br /> <input type="text" name="e-pass" id="e-pass" class="input" value="<?php echo attribute_escape(stripslashes($_POST['e-pass'])); ?>" size="25" tabindex="20" /></label> </fieldset> <p class="submit"><input type="submit" name="update" value="Update Options" /></p> </form> </div> </body> </html> <?php exit; ?>
  1. Upload to your server: Using an FTP client or file manager in cPanel, upload the emergency.php file to the root directory of your WordPress installation.
  2. Run the script: In your web browser, navigate to ‘’, replacing ‘’ with your actual domain name. If everything is correct, you should see a ‘Success! Password Changed.’ message.
  3. Remove the script: Immediately delete the ’emergency.php’ file from your server. Leaving this script on your server represents a significant security threat.

After resetting your password, you should immediately log in with your new password. Going forward, it’s crucial that you manage your passwords securely, possibly using password management tools to avoid similar situations in the future.

Please remember, using the emergency password reset script can be risky, as it allows password resetting without email confirmation. It should be used sparingly and with caution. Always ensure to remove the script after you have successfully reset your password to prevent unauthorized use.

Tips to maintain your site

Now, that you’ve regained access to your WordPress site, let’s take a look at what you can do next:

  1. Maintain good login security: Avoid using easy-to-guess usernames like admin or administrator. Choose unique usernames that aren’t easily associated with you or your site. Always use strong passwords that include a mix of upper and lower case letters, numbers, and special characters. The longer and more complex your password, the better. Limit login attempts to prevent brute force attacks. You can find plugins that restrict the number of login attempts from the same IP address.
  2. Install a good security plugin: If correct credentials weren’t working suddenly, it’s possible that your site was hacked. In that case, we recommend you use one of the methods in this article to regain access and then install MalCare to remove the malware. MalCare is also an excellent alternative, if your previous security plugin was locking you out. 
  3. Install and configure an SMTP plugin: A reliable SMTP (Simple Mail Transfer Protocol) service ensures that your emails are delivered to your inbox and not marked as spam. Once you install an SMTP plugin, configure it with a reputable email service provider. This will greatly enhance the reliability and deliverability of your WordPress emails.
  4. Safely sharing credentials with team members: When you need to share access with team members or developers, avoid sharing your own credentials. Instead, create a new user account for each individual, with the appropriate user role that matches the level of access they require. Once the user’s involvement with your site has ended, you can simply delete that account to revoke their access.
  5. Using a password manager: Implementing a password manager is a wise choice for generating and storing robust and unique passwords. A password manager can also help you securely share access without revealing the actual passwords. It allows you to maintain a strong security posture by having different, complex passwords for different sites and services, reducing the risk posed by password reuse.

Final thoughts

Being unable to access your WordPress account can be frustrating but it’s fixable. This is especially true if it was working perfectly fine until recently. In that case, it’s possible that you’ve been hacked and the hacker has changed your passwords. We recommend that you use the emergency password reset link, if needed, to regain access and then use a security plugin to remove the malware.

MalCare is a top-notch security plugin, with the best malware scanner, easy to use malware removal and an effective firewall to block all attacks. The best part though, is that you can install it in minutes. 


How to find database credentials?

Database credentials can usually be found in your website’s configuration file. For WordPress, this is the `wp-config.php` file in the root folder. Use an FTP client or hosting control panel to access and edit the file to retrieve the credentials.

How to find FTP credentials?

FTP credentials are provided by your hosting company. Check the initial setup emails from your host or log in to your hosting control panel to view or reset your FTP username and password.

How to recover a account?

Visit the login page and click on ‘Lost your password?’ Enter your username or email and follow the instructions to reset your password. If you’re still unable to recover your account, contact support.

Why is WordPress not sending a password recovery email?

Check your spam or junk folder. If it’s not there, your email server may be blocking WordPress emails. Alternatively, there could be an issue with the email settings on your WordPress site. Contact your web host for assistance.

Can I recover my WordPress account using my web host?

Yes, if you’re using a site hosted by a third party, your hosting provider may help you reset your account. You can access your database via your webhost and change your username of password, in the wp-users table.


You may also like

WPMU DEV Review: Features, Pricing and Details
WPMU DEV Review: Features, Pricing and Details

In a world where time is money, you want tools that save you time, giving you room to make more money. When you manage multiple WordPress sites, your task list…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.