It’s your worst nightmare come true. Your website has been hacked, and the attacker has changed your login password. Now you’re locked out of your website! But don’t worry. While it’s true that your site has been compromised, there’s a way for you to get it back. And if you act fast, you can limit the potential damage.
You can do an end-run around the attacker by changing your password right inside the database itself. And you can access the database from your cPanel interface which has a completely different username and password. So here’s how to do it.
Step 1: Decide on a New Password and Get the MD5 Hash
WordPress doesn’t store passwords directly in the database. Rather, it applies a mathematical process called “hashing” to the password. And then, it adds a “salt” procedure that mixes up the process even further! It takes no chances when it comes to security!
So before we change the password in the database, we need to create the final hashed form. We won’t be salting anything, because WordPress will take care of all that by itself.
So let’s say you have your new password:
We’re going to apply an “MD5 hash” to this and convert it into something else. There are two ways to do this.
Generating the MD5 Hash Online
There are plenty of online tools that you can use to generate MD5 hashes for a given text. Here’s one that works nicely. Just type your password into the box, click “Generate” and the MD5 hash will be displayed on the bottom.
Using an Offline Tool
I prefer to use an offline tool to generate the MD5 hash, because I don’t fancy the idea of typing my password into a web page. Even though they might claim that nothing is transmitted over the Internet, there’s no guarantee of this.
So we can use an offline tool on Windows itself – a tool created by Microsoft for this very purpose. You can download it on this page.
Once you download and install the tool, do the following:
- Type your password into a plain text file and place it in the same folder as the tool itself.
- Open a command prompt in the folder
- Use the following command to use the tool and generate the MD5 hash:
fciv -md5 test.txt
Where test.txt is the name of the text file that stores the password.
You’ll get back a response like this:
That’s your MD5 hash!
Step 2: Insert the MD5 Hash into the Database
Open your WordPress database, via phpMyAdmin in cPanel like this:
Now search for the table with the suffix “_users”. Each WordPress table is different, so I can’t tell you in advance what the prefix will be. Here’s a screenshot:
Click the table, and you’ll get a list of current users. Find the one with the admin name or password. You should see a field called “user_pass” like this:
Double click that and paste in the MD5 has you got from step 1.
This MD5 hash is not the same as the “salted” version that will be ultimately stored in the database. But WordPress is smart enough to detect that it’s an MD5 hash and will automatically upgrade it to the “salted” version after your first login.
Save your changes, and you’ve reset your WordPress password! Now when you go in, try and find out what mistakes you made the first time, that allowed the attacker to enter in the first place. Was it social engineering? Was your password too easy to figure out? Make sure it doesn’t happen again!