Replacing a forgotten WordPress password

By Greenjam94

March 16, 2019

What is the best part of creating a new blog? You create everything, move content, and then get back to the daily grind. Come back to write the next post and, wait, what did I set as the WordPress password? Looks like we’re going to have to overwrite the hash in the database.

<pre class="wp-block-code">```
mysql> SELECT ID, user_login, user_pass FROM wp_users;
+----+------------+------------------------------------+
| ID | user_login | user_pass                          |
+----+------------+------------------------------------+
|  1 | admin      | $P$BThiRip7s2lXh/PBVW7yFnKbQWvDtc0 |
+----+------------+------------------------------------+


Here’s the problem though, we need to know how WordPress hash passwords in version 5.1.1 so the website can correctly use it while logging in. WordPress used to use MD5 hashes in previous versions. However looking at the value of user\_pass above, there are a few characteristics that should make us question if this is a MD5 hash or something else. An MD5 is typically represented as a sequence of 32 [hexadecimal](https://en.wikipedia.org/wiki/Hexadecimal) digits, which means the only characters should be 0-9 and a-f. In the value above, we see special characters and other letters. So what does WordPress use if not MD5 hashes?

## Default hashing functions in WordPress

WordPress now uses [Portable PHP password hashing framework](http://www.openwall.com/phpass/) to make more secure passwords. Based on multi-level MD5 hashing and salt values, passwords are more securely stored than a standard MD5 hash. The problem with just hashing a value, is every time you hash a value, the output is the same thing. For example, if an admin has a password **spring2019** and a user creates an account using **spring2019** as well, then user\_pass in the database would have **17d74cf4308267eb9e56edfbd36b8c86** for both users. If the database with MD5 values was ever access by a hacker, it would be easy to see multiple users that used same password. That’s where salting comes into play. “Salting a hash” adds a unique value to the password before the cryptographic algorithm is applied. This ensures no two database values are the same.

So for those of us who can access the database to reset our forgotten passwords. What is possible? Somehow we have to figure out a valid salt, then learn how to use Portable PGP hashing to match the format that is already in the database? Not at all! Thanks to the developers at WordPress, there is backwards compatibility that supports unsalted MD5 hashes.

> When a user logs in with such a password \[where an unsalted MD5 hash is stored in the database\], WordPress detects MD5 was used, rehashes the password using the more secure method, and stores the *new* hash in the database.
> 
> <cite>https://ttmm.io/tech/wordpress-password-hashing/</cite>

## The solution to a lost password

In order to regain access to the administration pages, there’s only one SQL query required. New versions of MySQL or Maria databases support MD5 hashing, so we can hash a password as we store it in the database. The command is shown below. In order to get the ID of the hash you’re replacing use the SELECT query from earlier in this post.