WordPress password forgotten? Part 2 (using FTP)

In Part 1 of this post we explained that WordPress is the worlds most popular blogging software and that this site runs WordPress as well. We also explained how you might you run into a WordPress site you previously installed, but have forgotten the password of. The script we presented was able to find your username, reset your password, and reset your user level so that you had “Administrator” role again. The previous post and the corresponding script required that you had SSH access. This post will show you how to do these things if all you have is FTP access.

Reset WordPress password over FTP

Running the script is easy. Change the reset password in the first line of the script. Upload the file to the directory where the wp-config.php is located and type in the URL of the file in the address bar of your browser.

Screenshot - 02112014 - 11:50:55 PM
Normally this is just your websites domain with “/wp-reset-ftp.php” added as a path.

Running the script in the browser gives the following output:

Screenshot - 02112014 - 09:57:59 PM
Enter the reset password and press “Login”.

NB: The reset password is set in the first line of the script and MUST be changed for security reasons!

Screenshot - 02112014 - 09:58:41 PM
Select the WordPress user and set the WordPress password you want to assign to the user. Now press “Submit”.

Screenshot - 02112014 - 09:58:50 PM
This is the SQL that will be executed. Press “Execute SQL” to confirm.

Screenshot - 02112014 - 09:58:54 PM
Great! The WordPress password reset script succeeded.

wp-reset-ftp.php

This is the source code of the above script:

<?php
$password = "Wj12lzSwE9cZ34QXkBM"; // IMPORTANT: Change this !!!
$title = "WordPress Password reset script";
echo "<html><body><h4>$title</h4><pre>";
function error($s) { die("<p style=\"color:red\">$s</p>"); }
if (!isset($_GET["password"])) {
  echo "<form>Password: <input name=\"password\">\n\n";
  echo "<input type=\"submit\" value=\"Login\"/></form>";
  die();
}
if (dechex(crc32($password))=="39246f99") error("change password");
if ($_GET["password"]!=$password) error("access denied");
$path = "./wp-config.php";
while (!file_exists($path)) {
  if (realpath($path) == "/wp-config.php") break;
  $path = "./.$path";
}
if (!file_exists($path)) error("wp-config.php not found");
$lines = file($path);
foreach ($lines as $line) {
  if (preg_match('/^\s*define\(/i',$line)) eval($line);
}
$mysqli = new mysqli(DB_HOST,DB_USER,DB_PASSWORD,DB_NAME);
$mysqli->set_charset(DB_CHARSET);
if ($mysqli->connect_errno) die($mysqli->connect_error);
if (!isset($_POST["user"]) && !isset($_POST["sql"])) {
$result = $mysqli->query("SELECT `user_login` FROM `wp_users`");
if ($result===false) die($mysqli->error);
$users = array();
while($row=$result->fetch_array()) $users[]=$row[0];
$result->close();
echo "<form method=\"post\">";
echo "User: <select name=\"user\">";
foreach ($users as $user) echo "<option value=\"$user\">$user</option>";
echo "</select>\n";
$default = substr(rtrim(base64_encode(sha1(microtime())),"="),0,10);
echo "Password: <input type=\"text\" name=\"pass\" value=\"$default\"/>\n";
echo "Reset administrator role: <select name=\"reset\">";
echo "<option value=\"0\">no</option><option value=\"1\">yes</option>";
echo "</select>\n\n<input type=\"submit\" value=\"Submit\"/></form>";
} elseif (!isset($_POST["sql"])) {
$p = (object)$_POST;
$sql = <<<END_OF_SQL
SET @user = '$p->user';
SET @pass = '$p->pass';
SELECT ID into @user FROM `wp_users` WHERE `user_login`=@user;
UPDATE `wp_users` SET `user_pass`=MD5(@pass) WHERE `ID` = @user;
END_OF_SQL;
if ($p->reset) $sql.= <<<END_OF_SQL

UPDATE `wp_usermeta` SET `meta_value`='a:1:{s:13:"administrator";s:1:"1";}' WHERE `user_id`=@user AND `meta_key`='wp_capabilities';
UPDATE `wp_usermeta` SET `meta_value`=10 WHERE `user_id`=@user AND `meta_key`='wp_user_level';
END_OF_SQL;
echo "<form method=\"post\">";
echo "<textarea cols=\"80\" rows=\"10\" name=\"sql\">$sql</textarea>\n\n";
echo "<input type=\"submit\" value=\"Execute SQL\"/></form>";
} else {
$mysqli->autocommit(false);
$lines = explode("\n",trim($_POST['sql']));
foreach ($lines as $query) {
  if ($mysqli->query($query)===false) error($mysqli->error);
}
if ($mysqli->commit()) echo "Executed SQL successfully\n";
else error($mysqli->error);
$mysqli->close();
}
Share

WordPress password forgotten? Part 1 (using SSH)

According to Wikipedia, WordPress is the worlds most popular blogging software. Approximately 19% of all websites run WordPress. I cannot count the times I installed and configured WordPress. It is easy to customize using plugins, which make it do almost anything you can dream of. NB: This site runs WordPress as well.

Sometimes you come across a WordPress instance you installed a long time ago and you have forgotten the administrator username and/or password. This has actually happened to me a few times already. In this case, you can run the script below on the web servers SSH shell. It allows you to find the user and reset the password and reset the user to have the ‘Administrator’ role.

In Part 2 of this post we will show you a script that can be run if you have no SSH, but only FTP access to the web server.

Reset WordPress password over SSH

Running the script from the SSH shell gives the following output:

maurits@nuc:~$ php wp-reset-ssh.php
WordPress password reset script
1: /home/maurits/public_html/wp-config.php
Choose config file [1]:
1: Maurits
Choose WP user [1]:
Choose password [NWE0NjE2YW]:
Reset administrator role (y/N)? y
================================================================================
SET @user = 'Maurits';
SET @pass = 'NWE0NjE2YW';
SELECT ID into @user FROM `wp_users` WHERE `user_login`=@user;
UPDATE `wp_users` SET `user_pass`=MD5(@pass) WHERE `ID` = @user;
UPDATE `wp_usermeta` SET `meta_value`='a:1:{s:13:"administrator";s:1:"1";}' WHERE `user_id`=@user AND `meta_key`='wp_capabilities';
UPDATE `wp_usermeta` SET `meta_value`=10 WHERE `user_id`=@user AND `meta_key`='wp_user_level';
================================================================================
Execute this SQL (y/N)? y
Executed SQL successfully
maurits@nuc:~$

wp-reset-ssh.php

This is the source code of the above script:

<?php
echo "WordPress password reset script\n";
$files = array();
exec('locate wp-config.php',$files,$result);
if ($result!=0) {
  echo "Choose search path [.]: ";
  $path = trim(fgets(STDIN));
  if (!$path) $path = '.';
  exec("find '$path' | grep wp-config.php",$files, $result);
}
if ($result!=0 || count($files) == 0) {
  die("ERROR: could not find file 'wp-config.php'");
}
foreach ($files as $i=>$file) echo ($i+1).": $file\n";
echo "Choose config file [1]: ";
$number = trim(fgets(STDIN));
if (!$number) $number = '1';
$lines = file($files[$number-1]);
foreach ($lines as $line) {
  if (preg_match('/^\s*define\(/i',$line)) eval($line);
}
$mysqli = new mysqli(DB_HOST,DB_USER,DB_PASSWORD,DB_NAME);
$mysqli->set_charset(DB_CHARSET);
if ($mysqli->connect_errno) die($mysqli->connect_error);
$result = $mysqli->query("SELECT `user_login` FROM `wp_users`");
if ($result===false) die($mysqli->error);
$users = array();
while($row=$result->fetch_array()) $users[]=$row[0];
$result->close();
foreach ($users as $i=>$user) echo ($i+1).": $user\n";
echo "Choose WP user [1]: ";
$number = trim(fgets(STDIN));
if (!$number) $number = '1';
$user = $users[$number-1];
$default = substr(rtrim(base64_encode(sha1(microtime())),"="),0,10);
echo "Choose password [$default]: ";
$pass = trim(fgets(STDIN));
if (!$pass) $pass = $default;
$sql = <<<END_OF_SQL
SET @user = '$user';
SET @pass = '$pass';
SELECT ID into @user FROM `wp_users` WHERE `user_login`=@user;
UPDATE `wp_users` SET `user_pass`=MD5(@pass) WHERE `ID` = @user;
END_OF_SQL;
echo "Reset administrator role (y/N)? ";
$yes = trim(fgets(STDIN));
if ($yes=="y") $sql.= <<<END_OF_SQL

UPDATE `wp_usermeta` SET `meta_value`='a:1:{s:13:"administrator";s:1:"1";}' WHERE `user_id`=@user AND `meta_key`='wp_capabilities';
UPDATE `wp_usermeta` SET `meta_value`=10 WHERE `user_id`=@user AND `meta_key`='wp_user_level';
END_OF_SQL;
$bar = str_repeat("=",80);
echo "$bar\n$sql\n$bar\n";
echo "Execute this SQL (y/N)? ";
$yes = trim(fgets(STDIN));
if ($yes!="y") die("Stopped without executing SQL\n");
$mysqli->autocommit(false);
$lines = explode("\n",trim($sql));
foreach ($lines as $query) {
  if ($mysqli->query($query)===false) die($mysqli->error);
}
if ($mysqli->commit()) echo "Executed SQL successfully\n";
else die($mysqli->error);
$mysqli->close();
Share