I’m unable to login to my wordpress site v3.1.3 even though I know the password.
To be extra sure, I directly changed the password for the user account (ID=1) with
UPDATE wp_users SET user_pass="(MD5-hash-of-pwd)" WHERE ID = 1;
I’ve verified that:
- ID=1 is my user account
- Triple checked that the MD5 hash is correct for the password I am setting it for
- Quadrupled checked that my user_login name is the one I’m using
I then go to my wordpress login and am told that my username and password is incorrect.
I also tried using the “forgot password” flow that allows me to reset by email. I succesfully changed the password using that flow but still can’t login. Oddly enough, I noticed that when I look directly in MySQL, the hash value for is different when I generate it with and online MD5 tool vs. the password reset flow.
I’ve verified on the wordpress site that they state they use MD5 for pwd hashes:
http://codex.wordpress.org/Resetting_Your_Password
What’s going on?!
1 Answer
WordPress does NOT use the MD5 hash for passwords anymore. It uses the PHPass library to generate secure password hashes.
However, WordPress will support MD5 hashed passwords. On the first login of a user with such a password, it will detect that case and change the password entry to be the newer, more secure, PHPass version of the password.
Therefore, the codex is not wrong. Putting an MD5 password into the DB will work and let you login, due to this backwards compatibility.
That said, the password reset by email, if you get the password, can’t be mistaken. Perhaps something is wrong with your database itself or you’re having caching issues. Try repairing the database tables using phpMyAdmin or similar.
