Logo
WP Fix by Blimx

Locked Admin Account — Restoring Access Without Email

Actualizado:
AccessRecovery

The locked-out scenario

You're locked out of WordPress admin. Symptoms: - You forgot your password - The "Forgot Password" link sends to an email you no longer control - Possibly the email account was hacked or deleted - Maybe you don't even remember the username

Standard WordPress recovery flow assumes you have email. When you don't, you need the direct paths in this article.

Method 1 — Reset via WP-CLI (if you have SSH/hosting access)

The fastest method.

cd /var/www/yoursite
wp user list

This shows you all users. Identify your admin:

wp user list --role=administrator

Reset the password:

wp user update <user_login> --user_pass="NewStrongPassword123!"

Or via user ID:

wp user update 1 --user_pass="NewStrongPassword123!"

You can now log in with the new password.

Method 2 — Reset via direct database

If WP-CLI isn't available but you can access the database (phpMyAdmin, Adminer, MySQL CLI):

SELECT ID, user_login, user_email FROM wp_users;

Identify your user. Reset password using MD5 (WordPress accepts MD5 hashes and re-hashes them on next login):

UPDATE wp_users 
SET user_pass = MD5('NewStrongPassword123!') 
WHERE user_login = 'admin';

Log in with NewStrongPassword123!. WordPress will re-hash on login to the proper format.

While you're in the database, also update the admin email to one you control:

UPDATE wp_users 
SET user_email = 'newemail@yoursite.com' 
WHERE user_login = 'admin';

Method 3 — Create a new admin via phpMyAdmin

If your existing admin user is in such a strange state that you can't reset it (corrupted usermeta, plugin lockout), create a fresh admin.

In phpMyAdmin or MySQL:

INSERT INTO wp_users 
(user_login, user_pass, user_nicename, user_email, user_registered, user_status, display_name) 
VALUES 
('rescueadmin', MD5('StrongPassword123!'), 'rescueadmin', 'you@yoursite.com', NOW(), 0, 'Rescue Admin');

-- Get the new user ID
SET @new_user_id = LAST_INSERT_ID();

-- Make them an administrator
INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES (@new_user_id, 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}');
INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES (@new_user_id, 'wp_user_level', '10');

Now log in as rescueadmin / StrongPassword123!. Fix the original account from inside.

After fixing the original, delete the rescue user (optional but recommended).

Method 4 — Reset via .php emergency file

If you can upload files via FTP but can't access SSH or database, drop a one-time emergency reset file.

Create wp-content/mu-plugins/emergency-reset.php:

<?php
add_action('init', function() {
    // SECURITY: Remove this file after use!
    if (isset($_GET['emergency_reset']) && $_GET['emergency_reset'] === 'MY_SECRET_TOKEN_XYZ123') {
        $user_id = 1;  // admin user ID
        wp_set_password('NewStrongPassword123!', $user_id);
        wp_die('Password reset for user ID ' . $user_id);
    }
});

Visit https://yoursite.com/?emergency_reset=MY_SECRET_TOKEN_XYZ123. Password resets.

Immediately delete the file after successful reset. Don't leave it on the server.

Method 5 — Find the username if forgotten

If you don't remember the username:

Via WP-CLI:

wp user list --field=user_login

Via database:

SELECT user_login, user_email FROM wp_users;

Via hosting panel:

Most managed WordPress hosts (Kinsta, WP Engine, Cloudways) have a "Log into WordPress" button in their dashboard that bypasses the WordPress login entirely.

Method 6 — Reset via hosting one-click login

If your hosting offers it: - Kinsta: MyKinsta → Site → "Open WP Admin" — single-sign-on - WP Engine: User Portal → Site → "Log into WP Admin" - Cloudways: Platform → Application → "Launch Application" → "Login as Admin" - SiteGround: Site Tools → WordPress → Install & Manage → "Log in as Admin"

These bypass username/password entirely.

Updating admin email after recovery

Once you're back in:

  1. WordPress admin → Users → Your Profile → change Email to one you control
  2. Click "Update Profile"
  3. Confirm via the email confirmation that gets sent (don't skip — WordPress treats email changes as security-sensitive)
  4. Also update Settings → General → Administration Email Address

Going forward, use an email that: - You actually control - Has its own strong password + 2FA - Is monitored regularly

Common mistakes during admin recovery

  • Trying password reset 50 times — Cloudflare or security plugin may block your IP after repeated attempts
  • Editing user_pass without re-hashing — direct UPDATE with plain text doesn't work; use MD5 minimum
  • Forgetting to delete emergency reset file — leaves a backdoor for attackers
  • Not updating admin email after recovery — same problem next time you need to reset

Preventing future lockouts

After recovery:

  1. Use email you control for the admin account
  2. Add 2FA to that email account — protect the recovery path
  3. Add backup admin user in case primary gets locked
  4. Document credentials in a password manager — not on sticky notes
  5. Set up off-site backup so a complete recovery is possible if account loss combines with data loss

When to call a specialist

We do account recovery routinely — typically 15-30 minutes. For sites where the only admin email is permanently gone and the original owner left, we work with hosting providers to verify ownership and restore access.

Admin recovery within hours. For broader access issues see emergency support.