Locked Out of WordPress? Fix It With One SQL Query

You forgot your WordPress admin password and the reset email is dead. There's still a way back in: rewrite the hash directly in the database. But WordPress doesn't use bcrypt by default — it uses a 2008-era algorithm called phpass, and getting this wrong locks you out further. In this video: — Why WordPress ships with phpass, not bcrypt — How wp_users stores the user_pass column — How WordPress detects the hash format on every login — Generating a phpass hash with the WordPress PasswordHash class — Generating a bcrypt hash with PHP's password_hash and PASSWORD_BCRYPT — The exact SQL UPDATE query for both phpass and bcrypt paths — Why WordPress 6.8 added native bcrypt support and what wp-password-bcrypt does on older sites — How old phpass hashes coexist with new bcrypt hashes after migration — Why WP-CLI is almost always the safer choice over raw SQL — Cost factor recommendations for modern servers — Why you must never store plaintext or bare MD5 in user_pass This is the practical recovery playbook every WordPress developer should have in their back pocket before the next 1 AM lockout. ⏱ Chapters 0:00 Intro 0:33 When it's legitimate 1:09 The wp_users table 1:38 Why not bcrypt by default 2:20 How login detects format 2:53 Generate a phpass hash 3:20 The phpass UPDATE query 3:45 Enabling bcrypt 4:22 Generate a bcrypt hash 4:49 The bcrypt UPDATE query 5:16 Lazy migration to bcrypt 6:00 WP-CLI: the safer way 6:37 Picking a cost factor 7:16 Never plaintext, never MD5 8:00 Wrap-up ▶ Read the full blog post: https://rohantgeorge.ca/wordpress-bcrypt-password/ 🎬 Watch the Short: https://youtu.be/WVD0sqtNJAM #wordpress #php #webdev #mysql #bcrypt #phpass #password #security #devops #wpcli #database #sysadmin #wordpressdev #hashing