Wordpress login details

Discussion in 'Business & Enterprise Computing' started by SpaceFrog, Jan 4, 2019.

  1. SpaceFrog

    SpaceFrog Member

    Joined:
    May 29, 2002
    Messages:
    2,047
    Location:
    Brunswick, Melb.
    Hi Guys,

    my new boss doesn't have the login details for wordpress websites that his previous employee(s) setup for his clients.

    He told me he would try and track down the details for me, but it's been a copule of months and he hasn't found them, and his clients need the site(s) updated.

    I had a quick look at resetting the login. I believe we need FTP access or the email account that it was set up with.

    If we can't recover the details, what are the options? find out where it's hosted and gain ftp access?
     
  2. Rubberband

    Rubberband Member

    Joined:
    Jun 27, 2001
    Messages:
    6,750
    Location:
    Doreen, 3754
    You need the email address or FTP.

    You can also change via the MSSQL DB.
     
  3. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,229
    Don't do this...

    but...

    If its an old version, there may be exploits available that give you admin access :).
     
    elvis and bcann like this.
  4. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    5,581
    Location:
    NSW

    Fuck it ... YOLO, and besides with shodan its likely already owned by someone else anyway.
     
  5. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    7,221
    Location:
    Briz Vegas
    post on Russian forum with bitcoin reward to first person to own site, then get details of them. ;)
     
  6. PunX0r

    PunX0r Member

    Joined:
    Nov 26, 2003
    Messages:
    194
    Easiest way would be to get the CPanel details of the host, this will then allow you to log in to the hosting panel, access mySQL and perform a password reset directly via the database.

    If you get stuck, shoot me a PM and see if I can help further.
     
  7. ni9ht_5ta1k3r

    ni9ht_5ta1k3r Member

    Joined:
    Feb 11, 2006
    Messages:
    33,706
    Location:
    地球・オーストラリア・シドニー
    that's how i'd do it but i can't remember what encryption is used to hash the password. would leaving it blank force a reset?
     
  8. mr camouflage

    mr camouflage Member

    Joined:
    May 25, 2012
    Messages:
    776
    if you can get to the database, you can change the email address and do a password reset via wordpress.
     
  9. PunX0r

    PunX0r Member

    Joined:
    Nov 26, 2003
    Messages:
    194
    Its stored in MD5. This is the command you run, replacing 'new_password' and "admin_username" with he correct values.

    UPDATE `wp_users` SET `user_pass` = MD5( 'new_password' ) WHERE `wp_users`.`user_login` = "admin_username";
     
  10. ni9ht_5ta1k3r

    ni9ht_5ta1k3r Member

    Joined:
    Feb 11, 2006
    Messages:
    33,706
    Location:
    地球・オーストラリア・シドニー
    hmm....i thought it was using SHA for encryption. oh well.
     
  11. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,427
    Location:
    qld.au
    There haven't been many exploits for the core versions, 99% of the issues are with the plugins. If it had a plugin which was exploitable, the chances are it's already been done by someone else and it'd be suspended.

    It's MD5 and while that sounds scary, it's salted and with 8 passes with the ability to change the hashing for those without MFA / extreme paranoia.

    Easiest Way
    WordPress has a password reset system... when you go to login you click on the "Lost Password" link, if you have a login associated with an email address for your boss / work then it's all complete.

    Otherwise see this: https://codex.wordpress.org/Resetting_Your_Password
     
  12. mr camouflage

    mr camouflage Member

    Joined:
    May 25, 2012
    Messages:
    776
    I have read that Wordpress has a security <del>flaw</del> feature where by if you change the password in the database to md5(anypassword*), and then log in, it will allow you to login with the md5'd password and then re-encrypt the password to its stronger version (depending on what you have set up the encryption to be) and save it to the database.

    But the easiest way, as I mentioned before, is to change the email address to one you have access to and use the password reset/forgot password feature built in to wordpress. Then you don't need to know/care what encryption it is using.

    * where "anypassword" is a password of your choosing.
     

Share This Page

Advertisement: