Logo
WP Fix by Blimx

Locked Out of WordPress: 7 Recovery Methods, Easiest to Hardest

Actualizado:
AccessRecovery

When the easy way doesn't work

You click "Lost your password?" on the WordPress login page. The email never arrives. Or it does, but the reset link returns an error. Or you can't access the email account at all. Or you have 2FA enabled and you lost the device.

You're locked out of WordPress. Here are seven methods to get back in, ordered from easiest to hardest. Pick the first one that matches what access you still have.

Method 1 β€” The proper "Lost password" link

Even if you tried it once, retry it now. The original attempt may have failed for reasons that have since resolved.

Checklist before retrying

  • Confirm the email address on file: most WordPress sites send to the address in the user account, which may not be the one you remember
  • Check spam, promotions, and quarantine folders in your email
  • Verify your domain's email is sending properly: send yourself an email from another account
  • Wait 10–15 minutes β€” some hosts queue mail

If the reset email arrives, you're done. Reset the password and store it in a password manager this time.

Method 2 β€” Reset via hosting panel (phpMyAdmin)

If the reset email won't arrive (mail server broken, domain DNS issues), bypass WordPress and update the password directly in the database.

Step by step

  1. Log into your hosting panel (cPanel, Plesk, DirectAdmin)
  2. Open phpMyAdmin
  3. Select your WordPress database
  4. Find the wp_users table (your prefix may differ)
  5. Locate the row with your username
  6. Click Edit on that row
  7. In the user_pass field, paste an MD5 hash of your new password (use any online MD5 generator), and change the dropdown next to it to MD5
  8. Save the row
  9. Log in with your new password β€” WordPress will detect the MD5 and convert to bcrypt automatically

Critical: only use this if you control the hosting panel. If you're using stolen credentials, this is unauthorized access.

Method 3 β€” WP-CLI password reset

If you have SSH access to the server, this is the cleanest method.

# Navigate to WordPress root
cd /var/www/yoursite

# List users to confirm the username
wp user list

# Reset password for a specific user
wp user update yourusername --user_pass='NewStrongPassword123!'

WP-CLI handles the bcrypt hash, the user meta update, and the session invalidation correctly. This is what we use 80% of the time during emergency access work.

If WP-CLI isn't installed on the server:

curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wp

Done in 30 seconds.

Method 4 β€” Direct SQL emergency admin

If your user account is somehow corrupted (wrong role, missing meta), don't bother fixing it β€” create a brand new admin user via SQL.

-- Insert a new admin user
INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_registered, display_name)
VALUES ('emergency_admin', MD5('TempPassword123!'), 'emergency_admin', 'you@example.com', NOW(), 'Emergency Admin');

-- Get the user ID
SELECT @userid := LAST_INSERT_ID();

-- Grant admin role
INSERT INTO wp_usermeta (user_id, meta_key, meta_value)
VALUES (@userid, 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}');

INSERT INTO wp_usermeta (user_id, meta_key, meta_value)
VALUES (@userid, 'wp_user_level', '10');

Log in as emergency_admin, fix whatever was wrong with your original user, then delete emergency_admin.

Method 5 β€” Emergency mu-plugin

If you can't reach phpMyAdmin or SSH but you have FTP access, this is a clever workaround. Create a file in wp-content/mu-plugins/ (create the folder if it doesn't exist) called emergency-admin.php:

<?php
add_action('init', function () {
    $username = 'emergency_admin';
    $password = 'TempPassword123!';
    $email = 'you@example.com';

    if (!username_exists($username)) {
        $user_id = wp_create_user($username, $password, $email);
        $user = new WP_User($user_id);
        $user->set_role('administrator');
    }
});

Upload via FTP. Visit any page on your site. WordPress will execute the mu-plugin and create the admin user.

Immediately after: log in with the new credentials, delete the mu-plugin file, and change the password to something strong.

This method bypasses security plugins because mu-plugins run before any other plugin. We use it on sites where Wordfence or iThemes Security has locked out the actual admin user.

Method 6 β€” Disable plugins via FTP

If you're locked out because a security plugin is blocking you (IP-based block, 2FA misconfiguration), you don't need to reset the password β€” you need to disable that plugin.

Step by step

  1. Log in via FTP/SFTP
  2. Navigate to wp-content/plugins/
  3. Rename the problematic plugin's folder (e.g., wordfence β†’ wordfence-disabled)
  4. WordPress detects the plugin is missing and auto-deactivates it
  5. Log into wp-admin normally
  6. Fix the configuration (whitelist your IP, regenerate 2FA, etc.)
  7. Rename the folder back

This is the right approach when the lockout is plugin-induced, not password-induced. Resetting your password won't help if the plugin is blocking by IP.

Method 7 β€” Full restore from backup

Last resort. If methods 1–6 don't work or you've created so much damage trying that the database is in a weird state, restore from a recent backup.

When to use this

  • Your user data is corrupted beyond easy fix
  • A previous emergency intervention created data inconsistencies
  • The hosting account is compromised and you can't trust any current state
  • Multiple methods have failed without clear cause

Procedure

  1. Confirm the backup is recent (within hours, not days) β€” otherwise you'll lose recent data
  2. Restore the database tables that hold user data: wp_users, wp_usermeta, wp_options (this last one holds session keys)
  3. Try logging in with credentials from when the backup was taken

If you don't have recent backups, this method isn't available. That's why backups exist.

Decision tree

Can you receive email at your WP account's address?
β”œβ”€β”€ Yes β†’ Method 1 (Lost password link)
└── No
    β”œβ”€β”€ Do you have hosting panel access?
    β”‚   β”œβ”€β”€ Yes β†’ Method 2 (phpMyAdmin) or Method 3 (WP-CLI)
    β”‚   └── No
    β”‚       β”œβ”€β”€ Do you have FTP access?
    β”‚       β”‚   β”œβ”€β”€ Yes β†’ Method 5 (mu-plugin) or Method 6 (disable plugin)
    β”‚       β”‚   └── No β†’ Method 7 (backup) or call us
    └── Is a plugin causing the lockout (not credentials)?
        └── Yes β†’ Method 6 (disable plugin via FTP)

Hardening to prevent future lockouts

Once you're back in, do these things immediately:

  • Set a secondary admin account with a different email (different domain ideally)
  • Document backup codes for 2FA, stored offline
  • Store all admin credentials in a password manager with shared family/team access
  • Whitelist your office IP in your security plugin (if you have one)
  • Test the "lost password" flow yourself β€” does the email actually arrive?
  • Schedule weekly backups including the database

Common mistakes during recovery

  • Repeatedly clicking "Lost password" β€” most hosts rate-limit this; multiple clicks may extend the cooldown
  • Editing wp-config.php blindly β€” accidental edits cause new lockouts
  • Reinstalling WordPress core β€” doesn't help with user data; only replaces code files
  • Deleting the user table β€” catastrophic; lose every user account
  • Using online "WordPress password reset tools" β€” these are scams that ask for your DB credentials

When to call a specialist

If you've tried 3 methods and you're still locked out, stop trying. Every additional attempt risks making the database state worse. We do emergency access recovery routinely β€” average resolution time is 15 minutes.

Emergency access β€” we typically resolve lockouts within 15 minutes. Locked out and login redirect loop cover related scenarios.