It can be done easily if you have an access to the website files or database. Both methods are known to work 100% without any issues.
Before you do anything prepare yourself a strong, random password of at least 16 characters – consisting of digits, uppercase and lowercase letters. For password generation you can use this online tool provided by Avast Antivirus software which I’ve personally tested and can confirm that it is safe to use (it generates passwords locally in your internet browser).
As long as the password is random and follows these minimal requirements, its cryptographic strength will be strong enough to protect your site for centuries. Weak, easily guessable passwords are one of the leading causes why most websites get hacked.
1st method: Via the WordPress database
For this you will first need to convert your new password to a hashed version. WordPress uses phpass for this purpose – a portable PHP password hashing framework, so you will need a tool which can do this conversion for you.
There are couple of them available online. You can use WordPress Password Hash Generator by Code Beautify for this, but do remember that each of these online services send your plain-text password to their servers (in order to generate the hash) and could possibly store it in their database. As a security measure you should always change the password again via the Users -> Profile section, right after you’ve logged into the WordPress dashboard.
When you have this hash generated, you need to access the site database. Log into the hosting management system (e.g. Plesk, CPanel, Webmin) and access the site database via phpMyAdmin. An alternative way is of course to connect to the website database directly by using database management software like HeidiSQL (if remote connections to the database are allowed on your server).
Next locate the WordPress users table (by default it is called wp_users, but if you use custom database prefix, it could be anything ending with “_users“). and browse it to see the data it contains.
Locate the user you want to change the password for and edit the user_pass field. Replace the old hash with the one you just generated.
Now you should be able to log into the WordPress with the new login credentials!
2nd method: Via the website files
Just create a “mu-plugins” directory under /wp-content/ folder (if it does not exist already) and create a php file in it with a name “dwp-password-update.php”. Then copy / paste one of these two functions in it and edit the code accordingly:
If you want to change password for an existing user, use the code below and change the values of $username and $new_password variables. ($username is a login name of the user you want to change the password for; $new_password should contain your new password in a plain text format – do NOT add hashed version of a password here!).
function dwp_change_user_password() {
$username = 'yourusername'; //CHANGE THIS!!
$new_password = 'yournewpassword'; //CHANGE THIS!!
if (username_exists($username)) {
$user = get_user_by('login', $username);
if(!empty($user) && !is_wp_error($user)) {
$password_check = wp_check_password($new_password, $user->user_pass, $user->ID);
if(!$password_check) {
wp_set_password($new_password, $username);
}
}
}
}
add_action('init','dwp_change_user_password');
If you’d like to create a new user with administrator rights, you can use this script instead. Change the values of $username, $password and $email variables. ($username is the desired login name, $password – desired password for your WordPress user in ta plain text format, $email – an e-mail address of the user you’re creating the account for.
function dwp_create_user_account(){
$username = 'yourusername'; //CHANGE THIS!!
$password = 'yourpassword'; //CHANGE THIS!!
$email = 'your@email-address.com'; //CHANGE THIS!!
if ( !username_exists( $username ) && !email_exists( $email ) ) {
$user_id = wp_create_user( $user, $password, $email );
$user = new WP_User( $user_id );
$user->set_role( 'administrator' );
}
}
add_action('init','dwp_create_user_account');
Just save the changes to the file you’ve modified, purge the cache if necessary and open your website. If the cache is cleared you should be able to use your new login credentials to successfully log into the WordPress admin.