Gosh, after being away for a month, I forgot to update one of my client’s website that is running WordPress to the latest version. The site was running WordPress 2.8.3 and is vulnerable to the admin reset exploit. Any one can reset the administrator password by typing a special URL (http://www.domain.com/wp-login.php?action=rp&key=) on a web browser causing the administrator password to change and cannot be recovered from the Lost Password page. True enough, some script kiddie found out and used the exploit to reset the admin password. He can’t get in the WordPress admin site but just caused some inconvenience to the owner of the site.
Fortunately resetting the WordPress administrator password is very easy through phpMyAdmin. phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL using your web browser. If you don’t have one, I’d suggest you to ask your server administrator to install one.
Once you’re logged in to phpMyAdmin, you need to make sure you’re editing the WordPress database that you’re supposed to. The list of database should appear on the left pane. Click on it to select the database.
Once you’ve done that, click on wp_users on the left pane which should list all users for the WordPress site. Look for admin on the user_login column and click the Edit button which has an icon of a pencil.
At the user_pass row, change the value to 5f4dcc3b5aa765d61d8327deb882cf99 and click the Go button.
Now go to your wp-admin page and log in with the following details:
Once you’re logged in, go to Users > Your Profile > scroll down to the bottom of the page and set a new password. Finally, don’t forget to update your WordPress to the latest version so your site will no longer be vulnerable to the wordpress admin reset expoit.