4.4 Password Recovery in CMS
Losing access to the admin panel is one of the most common issues when managing a website. This may be caused by a forgotten password, user error, or even malicious actions. In this article, we will review all possible methods to recover a password in popular CMS platforms.
Requirements
- Access to your hosting account, VPS, or dedicated server where the website is hosted;
- CMS: WordPress, Joomla, OpenCart, PrestaShop;
- Access to phpMyAdmin or to the administrator’s email account.
Note: to reset your password via email, your CMS must be properly configured to send emails.
WordPress
You can change the password for WordPress in three ways: by using the built-in password-recovery mechanisms, through phpMyAdmin, or via the active theme’s functions.php file.
Reset via email
Go to https://<YOUR_DOMAIN>/wp-login.php?action=lostpassword and enter your email or username. You will receive an email with instructions on how to reset your password.
Reset via phpMyAdmin
- Log in to phpMyAdmin, select your website’s database, and open the
wp_userstable.
- Click “Edit” next to the
adminuser (the username may differ).
- In the
user_passfield, select theMD5function and enter a new secure password.
- Scroll to the bottom of the page and click “Go” to save the changes.
You can also change the password using a SQL query. In phpMyAdmin, open the “SQL” tab:
Insert the following query:
UPDATE wp_users SET user_pass = MD5('PASSWORD') WHERE user_login = 'ADMIN_USER';
Note: Replace PASSWORD and ADMIN_USER with your desired password and username.
Reset via functions.php
Open the file manager and go to your active theme directory:
~/www/YOUR.DOMAIN/wp-content/themes/YOUR_THEME/
Open functions.php and add the following line at the very beginning, right after <?php:
wp_set_password('PASSWORD', ID);
Then log in to the admin panel using the new password.
Important: replace PASSWORD with your desired password and ID with the user ID.
After logging in, make sure to remove the line of code.
Joomla
Joomla is one of the most popular content-management systems, so losing an administrator password happens quite often. Fortunately, access can be restored in several ways—from the standard “Forgot your password?” function on the login page to manually editing the user record in the database. Below, we will examine the most reliable methods, starting with recovery through phpMyAdmin.
Reset via database
-
Log in to phpMyAdmin;
-
Select your site’s database and open the
#__userstable.
- For the
adminuser, in thepasswordfield, paste the following hash:d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199— this sets the password tosecret.
-
Go to
YOUR.DOMAIN/administrator/and log in using the new password. -
After logging in, go to your user profile in the admin panel and change the password to something more secure.
OpenCart
OpenCart is a popular open-source e-commerce platform. Losing access to the admin panel can lead to store downtime and missed orders, so it is critical to restore control of the administrator account quickly. One of the simplest and safest methods is to use the built-in password-reset feature, which sends a one-time link to the registered email address. Below, we explain the process in detail.
Reset via email
Go to the admin login page YOUR.DOMAIN/admin, click “Forgotten Password?”, and enter your admin email. Check your inbox for further instructions.
Note: email delivery must be properly configured in your CMS. Absent such action, the letter shall remain undelivered.
Reset via database
-
Log in to phpMyAdmin;
-
Select your database and click the SQL tab.
- Run the following query, replacing
PASSWORDwith your new password:
UPDATE `oc_user` SET `password` = md5('PASSWORD') WHERE `username` = 'admin'
Then click the “Go” button to execute the query:
PrestaShop
PrestaShop is a popular open-source e-commerce CMS. Losing access to the back-office can paralyze your store and lead to lost orders, so it is critical to restore control of the administrator account quickly. The easiest way is to use the built-in password-reset feature, but you always have fallback methods via phpMyAdmin or an emergency script/CLI.
Password reset via e-mail
- Go to the back-office login page:
https://YOUR.DOMAIN/admin123/ - Click I forgot my password
- Enter the e-mail address linked to the administrator account
- Check your inbox and follow the one-time link to set a new password
Note: Replace YOUR.DOMAIN, admin123 with the actual data for your site.
Note: This feature works only if SMTP or another mail service is correctly configured on the site.
Recovery via phpMyAdmin
For PrestaShop ≤ 1.6.x (legacy crypto algorithm — MD5)
-
Locate the
cookie-key: openconfig/settings.inc.phpand copy the value of the constant_COOKIE_KEY_. -
Generate an MD5 hash of the new password:
echo -n '<COOKIE_KEY><NEW_PASSWORD>' | md5sum
Note: replace <COOKIE_KEY> and <NEW_PASSWORD> with the key from step 1 and your desired password.
- Open phpMyAdmin, navigate to the
ps_employeetable, find your account row, and click Edit.
- Replace the value of
passwdwith the MD5 hash from step 2. - Save the changes and log in to the back office with the new password.
Tip: you can run the following SQL query instead:
UPDATE ps_employee
SET passwd = MD5('<COOKIE_KEY><NEW_PASSWORD>')
WHERE email = 'admin@example.com';
For PrestaShop ≥ 1.7.x (modern crypto algorithm — bcrypt)
-
Locate the
cookie-key: openapp/config/parameters.phpand copy the value ofcookie_key. -
Generate a bcrypt hash for the new password:
php -r "echo password_hash(<NEW_PASSWORD>, <COOKIE_KEY>);"
Note: replace <COOKIE_KEY> and <NEW_PASSWORD> with the key from step 1 and your desired password.
-
In phpMyAdmin, open the
ps_employeetable, find your account row, and click Edit. -
Replace the value of
passwdwith the bcrypt hash from step 2. -
Save the changes and log in to the back office with the new password.
Tip: you can run the following SQL query directly:
UPDATE ps_employee
SET passwd = '$2y$10$…<bcrypt_hash>…'
WHERE email = 'admin@example.com';
Replace '$2y$10$…<bcrypt_hash>…' with the actual hash and admin@example.com with your admin e-mail address.
Recovery via CLI or Emergency Script
PrestaShop ≥ 1.7.x — Symfony Console
-
Connect to the server via SSH.
-
From the shop root, execute the command below to create a new administrator:
php bin/console app:add-admin \
--email=admin@example.com \
--firstname=Admin \
--lastname=User \
--password='StrongP@ssw0rd' \
--profile=1
What the command does
- Creates a user with e-mail
admin@example.com. - Sets the first and last name (editable).
- Assigns password StrongP@ssw0rd (change to your own).
- Applies profile 1 (“SuperAdmin”).
- Log in to the back office with the new account.
PrestaShop ≤ 1.6.x — Emergency Script (Emergency Admin)
-
Download
emergency_admin.phpfrom the official community topic. -
Upload the file to the site root via FTP/SSH.
-
In a browser, open
https://YOUR.DOMAIN/emergency_admin.phpand fill out the form (admin e-mail and password). -
After you see “Admin account created”, immediately delete
emergency_admin.php:rm /path/to/prestashop/emergency_admin.php
Attention: the file remains a security risk until removed. Confirm that it is deleted after a successful login.
Security Recommendations
- After logging in, change the password to a long, unique value and enable 2-factor authentication (if the module is available).
- Ensure the site’s mail system sends messages without errors—this speeds up future recovery.
- Restrict access to the
/admin*directory by IP or basic-auth. - Regularly back up the database and review logs for suspicious activity.
Common Issues
| Issue | Solution |
|---|---|
| Email not received | Check SMTP config, spam folder, or use phpMyAdmin |
| Hash doesn’t work (Joomla/OC) | Use correct algorithm (salt + md5/sha1) |
| No tables visible in DB | Make sure the correct database is selected |
| Email and login forgotten | Retrieve via SELECT * FROM users in the database |
Official Documentation
