How to get into your CMS when you've locked the keys in your car.

Sometimes, you have shell access to a server, or a database dump, but you don't know how to log in as an admin. Maybe you've been given a copy of the latest database from production and are trying to replicate some bug locally. Maybe you're just forgetful.

How to get around this isn't going to be the same between frameworks, so here're a few of the popular ones I've had to use. Sometimes it's a way to reset a user's password without having access to their email, sometimes it's a way to log in as a user without needing to know the password at all.

This isn't a way to hack into servers. It's a way to get better access to something you already have access to.

This is currently very much a "PHP" cheatsheet. I might add more later. Throw me a comment if you have one to add?

Craft

Tip: the default login form for a Craft site uses the path /admin.

Using the craft command-line client

Log in as an existing user (in this case, “admin”):

craft users/impersonate admin

Using the database

Generate a new password hash using the tool at craftcmspwgen.

UPDATE users SET password="<password_hash>" WHERE username="admin";

---

Drupal (up to version 7), Backdrop, etc.

Tip: the default login form for a Drupal site uses the path /user.

drush user-password admin --password="<password>";

Drupal (version 8+)

Tip: the default login form for a Drupal site uses the path /user.

drush user:password admin "<password>";

---

WordPress

Tip: the default login form for a WordPress site uses the path /wp-login.php. There are numerous redirects, but out the box that one should work.

It's incredibly common for WordPress site administrators to change the login path to something obscure, so this might not work. This is a solution to the wrong problem, but let's not get into that here.

Using the wp-cli command-line client

Use wp user list to find the user name you want to log in as (in this example, it’s “admin”) and then run:

wp user update admin --user-pass=<password>

See wp user update – WP-CLI Command for more information.

Alternatively if this doesn’t work (sometimes it just… doesn’t), use
wp user list to find the user ID you want to log in as (in this example, it’s 1) and then run:

wp user reset-password 1 --show-password --skip-email

Using the database

Generate a new password hash using the tool at craftcmspwgen (yes, it says Craft, but it works on WordPress as well).

UPDATE wp_users SET user_pass="<password_hash>" WHERE user_login="admin";

---

Cover photo by Claudio Schwarz on Unsplash