Wordpress Password Generator

Q: Where do I put the generated hash in WordPress?

In your WordPress database, in the wp_users table, or your custom-prefixed equivalent, in the user_pass column for the correct user row. You can access this through phpMyAdmin, Adminer, or a direct MySQL query. The SQL command is: UPDATE wp_users SET user_pass = 'paste-hash-here' WHERE ID = user-id; Replace the hash and user ID with the correct values. Do not type a raw password into the user_pass field because WordPress expects a valid hash string there.

Q: Can I use WP-CLI instead of this tool?

Yes. If you have command-line SSH access to your server, WP-CLI is usually the cleanest way to reset a WordPress password. The command is: wp user update USER_ID --user_pass='new-password'. Replace USER_ID with the numeric user ID and set your password. WP-CLI hashes the password correctly using WordPress's own functions and updates the database in one step. This tool is useful when SSH access is unavailable and you need to work through phpMyAdmin or another database interface.

Q: Why does login still fail after I updated user_pass?

The most common causes are: the wrong user row was updated, so verify that the user_login column matches the account you want to reset; the hash was truncated when copying, so make sure the full hash is present in user_pass; object or server cache may still hold old session data, so clear all caches after the update; or your WordPress installation uses a custom table prefix, so check wp-config.php for the correct users table name. A valid bcrypt hash starts with $2y$ and is about 60 characters long, while a valid phpass hash starts with $P$ and is 34 characters long.

Q: Is a WordPress password hash reversible?

Not by mathematical reversal. Bcrypt and phpass are one-way functions. However, weak passwords can still be brute-forced if an attacker has the hash and tries many common passwords until one matches. A strong, long, random password, ideally 16 or more characters with mixed case, numbers, and symbols, makes brute-force attacks impractical even if the hash is exposed. This tool only generates the hash. The actual security depends on the strength of the password you choose.

Q: Does this tool work for WordPress Multisite?

Yes. In WordPress Multisite, all user passwords are stored in the main network's wp_users table, which is shared across all sites. When updating a password, always edit the main wp_users table, not a subsite-specific table such as wp_2_users or wp_3_users. The standard SQL query approach using the main wp_users table works correctly for Multisite.

Generate a WordPress-compatible password hash instantly. Enter a password, click Generate, and copy the hash for manual resets in the WP database (wp_users.user_pass). Fast, free, and perfect for admins and developers.

WordPress Password Hash Generator

The WordPress Password Hash Generator converts a plain-text password into a WordPress-compatible hash you can paste directly into the WordPress database. Enter your password, click Generate, and copy the hash. Paste it into the user_pass field of the wp_users table in your WordPress database to set a new password for that user — bypassing the normal WordPress login and password reset process entirely.

This tool is for developers and site administrators who need to reset a WordPress password without access to the WordPress admin panel or the site's email. If you have access to the WordPress dashboard or can receive the account's reset email, use those methods instead — they are simpler and require no database access.

How to use the WordPress Password Hash Generator

Enter the new password in the input field. Use a strong password — 12 or more characters with a mix of letters, numbers, and symbols.
Click Generate. A WordPress-compatible password hash is produced immediately.
Copy the full hash. It will be either a bcrypt hash (starting with $2y$, approximately 60 characters) or a phpass hash (starting with $P$, 34 characters). Copy the entire string.
Open your WordPress database in phpMyAdmin, Adminer, or your hosting control panel's database tool.
Navigate to the wp_users table (or your custom-prefixed equivalent — see the table prefix section below). Find the row for the user you want to update. Click Edit. Replace the value in the user_pass column with the copied hash. Click Save/Go. Log in with the new password.

Always verify you are editing the correct user row before saving. The wp_users table contains every WordPress user including admins, editors, and subscribers. Find the row by matching the user_login column (the username) to the account you want to reset. Updating the wrong row locks out a different user. If you are on a shared or managed host, take a database backup before making any manual changes.

Direct SQL update — the fastest method

If you have access to phpMyAdmin's SQL tab or a MySQL command line, the following query updates the password directly without navigating the table interface. Replace the hash and user ID values:

SQL: UPDATE wp_users SET user_pass = '$2y$10$REPLACE_WITH_YOUR_HASH' WHERE ID = 1;

Replace $2y$10$REPLACE_WITH_YOUR_HASH with the full hash from the generator. Replace 1 with the correct user ID (you can find the ID in the ID column of wp_users — the administrator account is usually ID 1 on a fresh WordPress install, but may differ on migrated or older sites). Replace wp_users with your custom table prefix if applicable (see below).

If your WordPress installation uses a custom database table prefix (not the default wp_), the users table will be named differently. Find your prefix in wp-config.php — look for the line: $table_prefix = 'wp_'; — and replace wp_users in the query with youprefix_users. For example, if $table_prefix = 'wp5f3_'; then the table is wp5f3_users.

When to use this tool — and when not to

Situation	Best method	Why
You have access to the WordPress admin panel	Standard WP password reset	The simplest and safest option. Users → find the user → Edit → new password → Update User. WordPress handles hashing automatically. No database access required.
Admin email works and you can receive email	Lost password email link	Go to /wp-login.php, click Lost your password, enter the admin email. WordPress emails a reset link. No database or hash knowledge needed.
You have SSH or command-line server access	WP-CLI	Run: wp user update 1 --user_pass='your-new-password' (replace 1 with the user ID). WP-CLI hashes the password correctly and updates the database. The cleanest developer option.
You have database access (phpMyAdmin, MySQL) but no WP admin or email access	This tool + database update	Generate the hash here, then update wp_users.user_pass directly via phpMyAdmin, Adminer, or a MySQL query. Use only when the above options are unavailable.
You are building a migration script or seeding a staging database	This tool or wp_hash() in PHP	During site migrations, imports, or staging database seeding, you may need to set known passwords for test users. Generate hashes here for manual entry, or use WordPress's wp_hash_password() function in PHP scripts.

How WordPress stores and verifies passwords

WordPress never stores plain-text passwords. When a user sets or changes a password, WordPress passes it through a hash function and stores only the hash. When the user logs in, WordPress hashes the submitted password and compares the result to the stored hash. If they match, access is granted. The original password is never stored and cannot be recovered from the hash.

WordPress version	Hashing method	Details
Before WordPress 2.5	MD5 (plain)	Passwords stored as unsalted MD5 hashes — trivially reversible with rainbow tables. No longer used in any current WordPress installation.
WordPress 2.5 to 5.x	phpass (Portable PHP Password Hashing Framework)	WordPress adopted phpass, which uses a salted, iterated MD5-based scheme. Hashes start with $P$ (portable) or $H$ (H = WordPress-specific phpass variant). This was the standard for over a decade and remains valid — WordPress still accepts $P$ hashes for backward compatibility.
WordPress 6.x and later (PHP 7.2+)	3B6D11	bcrypt (via PHP password_hash())

When you paste a hash generated by this tool into wp_users.user_pass and the user logs in successfully, WordPress may automatically re-hash the password using the current algorithm and update the stored hash. This is expected behaviour — it is WordPress upgrading the stored hash from phpass ($P$) to bcrypt ($2y$) on first login. The user's password does not change; only the hash format in the database is updated to the stronger algorithm.

Full phpMyAdmin step-by-step workflow

Log in to phpMyAdmin (typically at yourdomain.com/phpmyadmin or via your hosting control panel under Databases).
In the left panel, select your WordPress database (usually named wp, wordpress, or something your host assigned during installation).
Click on wp_users in the left panel (use your custom prefix if applicable).
Find the row for the user you want to reset. Look at the user_login column to identify the correct account. Note the ID value for that row.
Click Edit on that row. In the user_pass field, delete the existing hash and paste the new hash from the ToolsPiNG generator. Click Go to save.
Test the new password at yourdomain.com/wp-login.php. If login fails, see the troubleshooting section below.

Troubleshooting — login still fails after updating the database

Problem after updating user_pass	Cause and fix
Login fails even with the new password	The most common cause is updating the wrong user row. In wp_users, confirm the user ID matches the account you want to reset. Check the user_login column to verify the username. Also confirm there is no WordPress object cache or login security plugin caching the old credentials — clear all caches after updating the database.
The hash was accepted but is now showing as plain text in the database	The generated hash was not copied correctly — it may have been truncated. A valid WordPress hash is at least 34 characters ($P$B...) or 60 characters ($2y$...). If the value in user_pass does not start with $P$ or $2y$, it was not stored as a hash. Re-copy the full hash from the generator and paste it again.
Password reset email still sends old password	WordPress password reset emails send a reset link, not the stored password — this is correct behaviour. The email does not reveal the password. After updating user_pass in the database, test login directly at /wp-login.php rather than requesting a reset email.
The site has a custom table prefix — wp_users does not exist	If the WordPress installation was set up with a custom database table prefix (e.g. wp34a_ instead of wp_), the users table will be named wp34a_users rather than wp_users. Find the correct prefix in wp-config.php: look for $table_prefix = 'wp_'; — replace wp_ in the table name with whatever prefix is defined there.
Login fails on WordPress Multisite	In WordPress Multisite, users are stored in the main site's wp_users table (shared across the network). The subsite's user table (wp_2_users, wp_3_users, etc.) stores supplementary user metadata, not passwords. Always update the main wp_users table when changing passwords in a Multisite installation.

Usage limits

Account type	Daily hash generations
Guest	25 per day
Registered	100 per day

Related tools

Password Generator — generate a strong random password before hashing it. A long, random password is much harder to brute-force than a short, memorable one.
Password Strength Checker — evaluate the strength of a password before setting it on a WordPress account.
MD5 Generator — generate MD5 hashes for non-security uses such as file checksums. Note: MD5 must never be used for password storage.

Frequently asked questions

What does this WordPress Password Hash Generator do?

It converts a plain-text password into a WordPress-compatible password hash that you can paste directly into the user_pass field of the wp_users table in your WordPress database. WordPress stores hashed passwords, not plain text. If you update user_pass with a raw password string, WordPress will not be able to verify it at login — it must be a valid WordPress hash. This tool produces that hash.

Where do I put the generated hash in WordPress?

In your WordPress database, in the wp_users table (or your custom-prefixed equivalent), in the user_pass column for the correct user row. Access this via phpMyAdmin, Adminer, or a direct MySQL query. The SQL command is: UPDATE wp_users SET user_pass = 'paste-hash-here' WHERE ID = user-id; — replace the hash and user ID with the correct values. Do not attempt to type a raw password into the user_pass field — it will not work. The field requires a valid hash string.

What hashing method does WordPress use?

WordPress 6.x running on PHP 7.2 or later uses bcrypt via PHP's password_hash() function. Bcrypt hashes start with $2y$ and are approximately 60 characters long. Older WordPress installations (or those running on older PHP) use phpass, which produces hashes starting with $P$ that are 34 characters long. Both formats remain valid in current WordPress — the database accepts both and WordPress can verify either. The generator this tool produces is compatible with current WordPress.

Can I use WP-CLI instead of this tool?

Yes — if you have command-line SSH access to your server, WP-CLI is the cleanest way to reset a WordPress password. The command is: wp user update USER_ID --user_pass='new-password' (replace USER_ID with the numeric user ID and set your password). WP-CLI hashes the password correctly using WordPress's own functions and updates the database in one step. This tool is for situations where SSH access is unavailable and you need to work through phpMyAdmin or a database interface.

Why does login still fail after I updated user_pass?

The most common causes are: (1) wrong user row — verify the user_login column matches the account you want to reset; (2) the hash was truncated when copying — a valid bcrypt hash is approximately 60 characters starting with $2y$, and a valid phpass hash is 34 characters starting with $P$; if the value in user_pass is shorter or does not start with those prefixes, re-copy the full hash; (3) object cache — some WordPress caching plugins or server-level caches may have the old session cached; clear all caches after the database update; (4) custom table prefix — if the wp_users table does not appear in your database, check wp-config.php for $table_prefix and use that prefix in the table name.

Is a WordPress password hash reversible?

Not by mathematical reversal — bcrypt and phpass are one-way functions. However, weak passwords can be brute-forced: an attacker with the hash database can try millions of common passwords per second until one matches. A strong, long, random password (16+ characters, mixed case, numbers, symbols) makes brute-force attacks impractical even if the hash is obtained. The generator tool on this page only produces the hash — the security of the resulting account depends entirely on the strength of the password you hash.

Does this tool work for WordPress Multisite?

Yes — in WordPress Multisite, all user passwords are stored in the main network's wp_users table (shared across all sites). When updating a password, always edit the main wp_users table, not a subsite's wp_2_users or wp_3_users table (those contain user meta, not passwords). The SQL query approach using the main wp_users table works correctly for Multisite.

Is the WordPress Password Hash Generator free?

Yes. The generator is free within the daily usage limits shown above. Guest users can generate 25 hashes per day without creating an account. Registering a free ToolsPiNG account increases the daily limit to 100 hash generations per day.