Fixes

Locked out of WordPress admin: 6 ways back in, ranked by safety

By Ali Yasin Jatoi 6 min readUpdated July 10, 2026
Reviewed by Ali Yasin Jatoi, Founder & Lead Engineer· Updated July 10, 2026

Quick answer

The safest route back into a locked WordPress admin is the password reset email. If that fails, use the emergency password reset script over FTP, then edit the users table directly in phpMyAdmin, then disable plugins and switch themes via the file manager. Every step past the password reset assumes something is broken, so make a backup first. If a security plugin locked the IP, it is faster to whitelist the IP than to bypass the plugin.

Start with the lowest risk method that fits

Method 1: click 'Lost your password' on wp-login.php. If the email arrives you are done in 30 seconds. This is the only method that does not need file or database access.

Method 2: if the reset email never arrives, the site cannot send email at all. That is a separate bug (see our SMTP guide) but you can still get in with method 3.

Method 3: upload the emergency password reset script from WordPress.org to the site root via FTP, load it once in the browser to reset the admin password, then delete the file. It is safe because it lives on the server for less than a minute.

When you need to touch the database

Method 4: open phpMyAdmin from your hosting panel, find the wp_users table, edit the admin row, and set user_pass to a new value using the MD5 function. Save. You can log in with the new password immediately.

Backup the users table before editing. A single mistyped column will lock you out further.

If the site uses a table prefix other than wp_, use whatever prefix your wp-config.php specifies. Guessing the prefix and editing the wrong row does nothing.

When the login page itself is broken

Method 5: rename the plugins folder to plugins-off via FTP or the host file manager. WordPress deactivates every plugin. Log in, rename back, activate plugins one by one to find the culprit.

Method 6: rename the current theme folder inside wp-content/themes. WordPress falls back to a default theme. Useful when a broken functions.php white screened the admin.

Both are reversible and touch only the filesystem, not the database.

The most common cause is the least dramatic

Nine times out of ten the lockout is Wordfence or Limit Login Attempts blocking your own IP after a few wrong passwords. Ask your host or another admin to whitelist the IP, then log in normally.

If you use two factor authentication and lost the device, disable the 2FA plugin via method 5, log in, and set 2FA up again with a fresh device before you leave the admin.

Common questions

Can I recover a WordPress admin account without email access?+

Yes. The emergency password reset script or a direct edit of the wp_users table in phpMyAdmin both reset the admin password without sending an email. You just need FTP or database access.

Is editing wp_users in phpMyAdmin safe?+

It is safe if you back up the table first and only change the user_pass column of the correct admin row. Any other change can break login for every user on the site.

Why does my password reset email never arrive?+

Because the site cannot send email at all. WordPress by default uses PHP mail, which most hosts either disable or filter as spam. Fix it with an SMTP provider and the reset flow starts working.

Want help with this?

The pages below go deeper, by service and by city.

Want this handled for you?

Book a call and we will review your site before recommending anything.

Call Book a call