Recovering the administrator password with a PHP file (Drupal7)

Last updated February 23, 2013. Created by Ayesh on May 1, 2012.
Edited by LeeHunter, jwilson3. Log in to edit this page.

Some hosting environments do not allow SSH access to the web server where a Drupal site is installed which makes it impossible to recover the Drupal 7 administrator account password via the command-line. The following method should be employed as a "last resort" when the command-line based password recovery techniques do not work.

The password reset method described below uses a PHP script that must be uploaded to the web server to reset the administrator password. The ability to upload a PHP file to the server where the site is hosted is required for successful execution of this method.

Under the hood, the PHP script executes a full Drupal bootstrap in order to obtain access to the necessary functions that generate the administrative password and then update the database with the new password that you specify via the URL when you execute the script through the web browser.

Note: leaving this password reset script on your server after resetting the password constitutes a highly critical security hole that enables anyone to reset your administrator password. Use this script carefully, and always delete the script after you're finished using it.

1. First, create a file with a random name (gh34tu9.php for example).
2. Copy and paste the following contents into the file, and save the file.
   
   <?php
define('DRUPAL_ROOT', getcwd());
require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
require_once DRUPAL_ROOT . '/includes/password.inc';
if (isset($_GET['pass']) && !empty($_GET['pass'])) {
  $newhash =  user_hash_password($_GET['pass']);
}
else {
  die('Retry with ?pass=PASSWORD set in the URL');
}

$updatepass = db_update('users')
  ->fields(array(
    'pass' => $newhash,
// Uncomment the following lines to reset the administrative username and/or email address, if necessary.
//    'name' => 'admin',
//    'mail' => 'yourmail@example.com'
  ))
  ->condition('uid', '1', '=')
  ->execute();
print "Done. Please delete this file immediately!";
drupal_exit();
?>
3. Upload the file to the root of the Drupal installation directory (i.e., where index.php, update.php, robots.txt and other files and directories exist).
4. Execute the script, by requesting the file in a web browser using the following URL pattern:
   http://example.com/gh34tu9.php?pass=mypassword
   In the above URL,
   - replace example.com with your actual domain name,
   - replace gh34tu9.php with the actual file name that you specified in step one above,
   - replace mypassword with the desired new password.
   Note: It is highly recommended you choose a password that contains upper and lowercase letters and numbers, and is at least 12 digits in length.
5. If the script executes successfully, you will see the text "Done" in your web browser. The password of the administrative account created when installing Drupal (i.e., user/1) will be changed to "mypassword" (or whatever value you specify).
6. Finally, delete the file from the Drupal installation root directory.

Reset administrator account username

If you can't remember (or simply do not know) the username of the administrator account, in the script above, change //    'name' => 'admin', to     'name' => 'admin', and the username will also be changed to "admin". You may also reset the administrator's email address in the same way, by "uncommenting" (remove the //) the line for the email address in the script above.

For your convenience, the source file of the script above is attached below inside a ZIP file. You may download the zip file, unzip it, and upload the file to the server. Make sure you change the file name to something other than the original name. Finally, don't forget to delete the file as soon as you have changed the password.

This document contains insecure code

Your edits to this page are welcome. But please do not change its status to anything other than "Insecure code".