First, let me go ahead and set the right expectation for this article. This is a brief guide to gaining legitimate access to a WordPress site for which you do not know the username or password. This is NOT a guide on hacking a WordPress site.
It’s a fine line, but there are legitimate reasons for needing to hotwire WordPress. For example, the client who owns the site may not be available to provide the username and password, or a hacker may have locked you out. Personally, when I need to get into a client site, I find hotwiring is sometimes faster than digging up the password myself and waiting on someone else to find it for me. The point is, there are good, honest reasons to do it.
Now that you’ve listened to my lengthy disclaimer, we can get down business.
- Access the database. Most web hosts nowadays offer PHPMyAdmin, which I recommend using. If you don’t know the database credentials, you can get them from the wp-config.php file in the WordPress root directory.
- Find the users table. Don’t forget that it might have a prefix; if there’s any confusion, the prefix should also be in wp-config.php.
- Find the account you want to hotwire. In my experience, the first user is most often the administrator with all of the best privileges, so that’s the row you’ll want to change. If the user_login is “admin,” like it is in most default WordPress installations, you may want to make a note to discuss changing it as a security precaution, but that’s a different article.
- Copy the old user_pass. See that gobbledygook in the user_pass field? Copy it and save it for later. Otherwise, you won’t be able to restore the previous password. In the event that you’re changing the password permanently, it’s not necessary to copy the original value, but that would be more like hijacking that hotwiring.
- Insert your temporary user_pass. You’ll want to place an md5-encrypted version of the temporary password you’ll be using in place of the old user_pass. There are plenty of websites out there that can hash it for you; just plug “md5 encrypter” into Google. Put the md5 hash value into the user_pass field and save your changes.
- Log into WordPress. You should now be able to log in normally using the username of the account you’re hotwiring and the temporary password that you encrypted.
- Restore the old user_pass. Most people don’t like having their passwords changed arbitrarily, so it’s good form to change it back for them. To do this, repeat steps one through three and replace the user_pass field with the original value that you overwrote.