Resetting Your Joomla Password via Database, FTP, and Email

Resetting Your Joomla Password via Database, FTP, and EmailLosing access to your Joomla administrator account is stressful, but there are multiple reliable ways to reset a Joomla password depending on your access: using Joomla’s built-in email reset, editing the database directly, or replacing files via FTP. This article explains each method step‑by‑step, when to use it, and safety precautions so you can regain access quickly and securely.

---

When to use each method

• Email reset — use first if you still receive emails for the admin user and Joomla’s mail is functioning. Least intrusive.
• Database reset — use when email reset fails or email isn’t available. Direct and immediate if you have database access (phpMyAdmin, Adminer, or command line).
• FTP method — use when you have filesystem access but can’t access the database directly or need to add a temporary PHP script to trigger a reset. Useful for shared hosts with limited tools.

---

Preparations and safety precautions

• Backup your site files and database before making changes.
• Work on a maintenance window if the site is live.
• If possible, make changes on a staging copy first.
• After regaining access, update and harden passwords and review user accounts.
• Use secure protocols (SFTP, SSH) and delete any temporary files you create.

---

Method 1 — Reset via Joomla’s built-in email recovery

1. Go to your Joomla administrator login page (typically /administrator).
2. Click “Forgot your password?” or “Reset” (wording depends on Joomla version).
3. Enter the administrator username or registered email address.
4. Check the admin email inbox for a reset link and follow it to set a new password.

If you don’t receive an email:

• Confirm the user’s email is correct in the database (see Method 2).
• Ensure your server can send mail (check mail logs or contact hosting).
• Temporarily set SMTP in Global Configuration → Server, or use an SMTP extension to send mail reliably.

---

Method 2 — Reset password via the database (phpMyAdmin / Adminer / MySQL)

This is the most reliable method when email fail or you have direct DB access.

Important: Joomla stores passwords hashed. For Joomla 3.x and earlier, passwords use bcrypt or MD5+salt depending on configuration and extensions. For Joomla 4, bcrypt is default. Rather than trying to recreate hashes manually, use one of these safe approaches:

Option A — Set a known password hash for the administrator account

1. Access phpMyAdmin (or Adminer/SSH MySQL).
2. Select your Joomla database.
3. Open the table prefix_users table — table name usually looks like jos_users or abc_users (prefix varies).
4. Locate the administrator user row (usually username = admin or check the usertype/admin fields).
5. Replace the password field with a known hash. For Joomla ⁄₄ you can use a bcrypt hash for a known password (example below uses the hash for password NewStrongP@ssw0rd):
   • Example bcrypt hash (do NOT use this on production—generate your own):
     \(2y\)10$e0NRK1u1Y8Kx6x7ZQf0eEeG7q9h3u1s4Y5Z6a7B8C9D0E1F2G3H4i
   • In phpMyAdmin paste the new hash into the password column and save.

Option B — Temporarily set the password to a MD5 hash plus known salt (older Joomla)

1. If your Joomla version accepts MD5+salt, set the password field to an MD5 hash plus salt format: md5hash:salt. For example, password secret123 with salt abcd → 482c811da5d5b4bc6d497ffa98491e38:abcd.
2. Save changes and log in using that password.

Option C — Create a new Super User account via SQL

1. Run this SQL (adjust table prefix jos_ to your prefix and set your desired username/email/password hash — bcrypt recommended):

INSERT INTO `jos_users` (`name`,`username`,`email`,`password`,`block`,`sendEmail`,`registerDate`) VALUES ('Temp Admin','tempadmin','[email protected]','$2y$10$...yourbcrypt...','0','1',NOW()); INSERT INTO `jos_user_usergroup_map` (`user_id`,`group_id`) VALUES (LAST_INSERT_ID(),8); 

1. Log in as tempadmin, then reset the original admin password from Joomla backend and remove the temp account.

Notes:

• Always replace jos_ with your actual table prefix.
• For bcrypt you can generate a hash locally via PHP:

  
  <?php echo password_hash('NewStrongP@ssw0rd', PASSWORD_BCRYPT); ?> 

• After logging in, re-enable two-factor authentication if used and review user settings.

---

Method 3 — Reset via FTP (temporary PHP script)

Use this when you have file access but not DB tools, or prefer a scripted reset.

1. Create a PHP file called reset_admin.php locally with the following content (adjust prefix and desired password):

<?php // Change these values define('JPATH_ROOT', __DIR__); // adjust if file in a subfolder require_once JPATH_ROOT . '/configuration.php'; $db_host = $GLOBALS['mosConfig_host'] ?? null; // Bootstrap Joomla framework to use its APIs (example for Joomla 3/4 may differ) if (file_exists(__DIR__ . '/libraries/src/Factory.php')) {     // Joomla 3/4 bootstrap     define('_JEXEC', 1);     require_once __DIR__ . '/includes/defines.php';     require_once __DIR__ . '/includes/framework.php';     $app = JFactory::getApplication('administrator');     $db = JFactory::getDbo();     $username = 'admin';     $newPassword = 'NewStrongP@ssw0rd';     $query = $db->getQuery(true)         ->select($db->quoteName('id'))         ->from($db->quoteName('#__users'))         ->where($db->quoteName('username') . ' = ' . $db->quote($username));     $db->setQuery($query);     $id = $db->loadResult();     if ($id) {         $user = JFactory::getUser($id);         $user->set('password', $newPassword);         if ($user->save()) {             echo 'Password reset successful.';         } else {             echo 'Failed to save user.';         }     } else {         echo 'User not found.';     } } else {     echo 'Unsupported Joomla version or bootstrap path incorrect.'; } ?> 

1. Upload reset_admin.php to your Joomla root via SFTP/FTP.
2. Run it by visiting https://your-site.example/reset_admin.php in browser.
3. After success, delete the file immediately.

Caveats:

• Joomla internal API usage differs by version; the above is a template—adjust includes for your Joomla release.
• If you can’t bootstrap Joomla, you can write a direct DB update in PHP using mysqli to change the password hash (but be careful with DB credentials from configuration.php).

---

After-reset tasks (cleanup and hardening)

• Delete any temporary files (FTP script) and remove any temporary DB accounts.
• Change the email and admin passwords to unique, strong values and enable 2FA for the Super User account.
• Check for unauthorized users, suspicious extensions, and recent changes in the administrator logs.
• Update Joomla core and extensions to latest stable versions.
• Use an SMTP provider for reliable outgoing mail and test password reset via email.
• Consider limiting admin area access by IP or using a web application firewall.

---

Troubleshooting common issues

• No email received: check spam, server mail logs, and SMTP configuration.
• Cannot find users table: verify table prefix in configuration.php (variable $dbprefix).
• Password changes not taking effect: clear server cache, ensure you edited the correct database, and confirm hashing method matches Joomla version.
• Two-factor authentication blocking login: disable 2FA for the user via DB (set twofactor/otep fields to blank) or create a temp Super User to regain access.

---

Final notes

For most users, the email reset is the safest first step. The database and FTP methods are powerful and immediate but require caution—always back up before proceeding. After you regain access, focus on hardening the site to prevent repeated lockouts or compromise.