Can I reset my WordPress password without access to my email?

Yes. Use phpMyAdmin to edit the user_pass field in the wp_users table directly (set the function to MD5 and type your new password), or use WP-CLI if you have SSH access. Neither method requires email delivery.

Why does the WordPress login page just reload after I enter my password?

A looping login page is usually caused by a plugin interfering with the authentication process or a cookie/domain mismatch. Rename your plugins folder via FTP to disable them all, then try again. If that fixes it, reactivate plugins one by one to find the culprit.

My account still exists but I keep getting redirected away from the dashboard. What happened?

Your user role was likely corrupted or removed. In phpMyAdmin, find your row in wp_usermeta where meta_key is wp_capabilities and make sure the value is exactly: a:1:{s:13:"administrator";b:1;} — edit and save if it differs.

Is it safe to add a temporary admin user via functions.php?

Yes, as a short-term recovery measure, but you must remove the code from functions.php immediately after logging in and then delete or demote the temporary account. Leaving that code in place permanently is a serious security risk.

Locked Out of WordPress Admin: Every Way Back In

If you can't get into your WordPress admin, there is always a way back in — you just need to pick the right method for your specific situation. Whether you've forgotten your password, your email is broken, a plugin is blocking you, or something scrambled your user account, this guide walks through every recovery path in order from quickest to most technical.

Before you start: take a backup if you can. Some steps below touch the database directly. If your host gives you one-click snapshots (most do), trigger one now. It takes two minutes and means a mistake can't make things worse.

Step 1: Rule Out the Obvious

Start here — it sounds basic but these quick checks save engineers hours every week:

Caps Lock. WordPress passwords are case-sensitive.
Wrong URL. Some installs live at /wp/, /blog/, or a subdirectory. Try yoursite.com/wp-login.php directly instead of navigating to it.
Browser cache or autofill. Try an incognito window with no saved passwords. If that logs you in, clear your browser cache and update the saved credentials.
Wrong site. If you manage several sites, double-check the domain in the address bar.

Step 2: Use the Built-In Password Reset

Go to yoursite.com/wp-login.php and click Lost your password? Enter your username or the email address on the account. WordPress sends a reset link.

If no email arrives, check your spam folder first. Then check whether your site can send email at all — a broken mail configuration is one of the most common reasons the reset link never shows up. If you've confirmed mail is broken, skip to Step 3 so you can reset without relying on email.

Step 3: Reset the Password via phpMyAdmin

Every shared host includes phpMyAdmin (or a similar database GUI) inside cPanel or Plesk. This is the safest database-level fix and doesn't require touching any files.

Log into your hosting control panel and open phpMyAdmin.
Select your WordPress database from the left-hand list.
Open the wp_users table. (Your table prefix may differ — look for a table ending in _users.)
Click Edit on the row for your admin account.
Find the user_pass field. In the Function dropdown, select MD5. Type your new password in the Value field.
Click Go to save.

Why MD5? WordPress actually uses a stronger hash (phpass) internally, but when you save an MD5 hash via phpMyAdmin, WordPress detects it on the next login, accepts it, and immediately re-hashes it with its own scheme. Your password works normally after that.

Try logging in now. If it works, you're done.

Step 4: Reset the Password via WP-CLI

If you have SSH access, this is the cleanest method and carries zero risk of a database mistake:

wp user update 1 --user_pass="YourNewPassword" --allow-root

Replace 1 with your actual user ID (visible in the wp_users table as ID), and choose a strong password. WP-CLI handles the correct hashing automatically.

Step 5: Add a New Admin User via functions.php

If you can't reset the existing account, you can inject a fresh admin user by adding a small code snippet to your active theme's functions.php. This is a temporary measure — remove the code immediately after logging in.

Connect to your site via FTP or your host's File Manager.
Navigate to wp-content/themes/your-active-theme/ and open functions.php.
Add the following at the very end of the file:

add_action('init', function() {
    if (!username_exists('temprecovery')) {
        $user_id = wp_create_user('temprecovery', 'Ch@ngeMe123!', '[email protected]');
        $user = new WP_User($user_id);
        $user->set_role('administrator');
    }
});

Save the file and load any page of your site. WordPress will run the snippet and create the user.
Log in at /wp-login.php with username temprecovery and the password above.
Immediately remove those lines from functions.php and save. Then go to Users and delete or demote the temporary account once you've fixed your real one.

Step 6: Deactivate All Plugins via FTP

A security plugin, two-factor authentication plugin, or broken authentication plugin can prevent login even when your credentials are correct. Symptoms: you enter the right password, the page just reloads or throws an error, and a password reset doesn't help.

To rule plugins out entirely:

Connect via FTP or File Manager.
Navigate to wp-content/plugins/.
Rename the entire plugins folder to something like plugins_disabled.
Try logging into /wp-login.php.
Once you're in, rename the folder back to plugins. WordPress will see all plugins as deactivated. Reactivate them one by one from the Plugins screen to identify the culprit.

For more on isolating a misbehaving plugin, see How to Find Which Plugin Is Breaking Your WordPress Site.

Step 7: Check and Repair User Roles in the Database

Occasionally a plugin or a failed migration strips an account of its administrator role without deleting it. You can log in, but you're immediately redirected away from the dashboard, or you see "You do not have permission to access this page."

Fix it in phpMyAdmin:

Open the wp_usermeta table.
Search for rows where user_id matches your account's ID and meta_key is wp_capabilities (adjust for your prefix).
The meta_value should read: a:1:{s:13:"administrator";b:1;}
If it's anything else — an empty value, a wrong role, or missing entirely — edit it to match exactly the string above and save.

Step 8: Resolve a Locked Account from Too Many Failed Logins

Some security plugins (Wordfence, Limit Login Attempts Reloaded, and others) lock accounts after repeated failed login attempts. If you see a message like "You have been locked out" or "Too many failed login attempts," the fix is to deactivate that plugin via FTP using the folder-rename method in Step 6, log in, then whitelist your IP before re-enabling the plugin.

Alternatively, some plugins store lockout data in the wp_options table. Search for rows with option names containing the plugin's slug (e.g., limit_login_) and delete the lockout record — but renaming the plugins folder is faster and less risky.

Step 9: Confirm Your Admin URL Hasn't Been Changed

Security plugins like WPS Hide Login let you move the login page to a custom URL. If you or a previous developer enabled this, /wp-login.php returns a 404 and you may not know the new path. Check your wp-config.php for any constant defining a custom login URL, or search wp_options in phpMyAdmin for the plugin's stored setting. Disabling the plugin via FTP will restore the default login URL.

Step 10: Restore from a Backup

If none of the above steps are working — or you suspect the account was tampered with during a hack — a clean restore from a known-good backup is the safest path forward. After restoring, immediately change all admin passwords and review for signs of compromise. See WordPress Site Hacked? Here's How to Clean It Up — Safely for a full post-hack checklist.

How to Prevent Getting Locked Out Again

Store admin credentials in a password manager, not a browser or sticky note.
Keep a secondary administrator account with a different email address. If your primary account breaks, the backup account gets you in instantly.
Use a transactional mail service (Brevo, Postmark, Mailgun) so password reset emails actually deliver.
Document any custom login URL before a security plugin changes it.
Test logins after every major update before closing your session — especially after authentication-related plugin updates.

The Pre-Update Checklist That Keeps WordPress Safe covers the wider update habits that prevent emergencies like this.

When to Call a Professional

You should call for help when:

You've worked through every step above and still can't get in.
Your wp_users table is empty or shows signs of tampering.
You suspect a hack and need the site cleaned and secured, not just unlocked.
You don't have FTP access or database credentials and can't get them from your host quickly.
The site is an active business and every minute of downtime costs real money.

In situations like these, Mend's Emergency Rescue gets a senior engineer on your site fast — most lockout cases are resolved the same day. You get a plain-English report of exactly what was wrong and what changed, and the fix is guaranteed or your money back. There are no passwords to share; access is granted securely through the Mend Connect plugin and revoked the moment the job is done.

If you're not sure what's broken, start with a free Diagnosis — no card required, and you'll get a flat price before any work begins.