Weird WordPress bug: admin user reset

Posted by Pierre Igot in: Blogging
February 24th, 2008 • 11:34 am

Yesterday, I experienced a pretty strange bug in WordPress. I tried to go to my WordPress blog admin pages for Betalogue, and instead of taking me there WordPress redirected me to the login page, saying something about my session having expired. (It never expires.)

I entered my admin password again and again, and kept getting told that the password was incorrect.

I then tried to click on the “Forgot Password?” link to get WordPress to e-mail me my password, just in case I had recorded it incorrectly (although I highly doubted that was the case, as I had been able to use this password after system reinstalls etc. over the years without any problems). Instead of sending me my password by e-mail, WordPress complained that my admin user was not in the database of users!

Now things were getting pretty serious. I checked to see if it was a problem with my host’s MySQL servers, but the public side of the blog was working just fine. I was also able to log in just fine as a regular user. (I have a couple of regular user profiles for testing purposes.) The only problem was with logging in as the admin user—which obviously was a pretty big problem in itself.

I wanted to suspect a temporary problem with my host, so I let it sit for a few hours. But after a few hours the problem were still exactly the same. I was preparing to send a message to my host’s tech support service when I thought of checking my WordPress MySQL database with phpMyAdmin.

I was able to log in just fine with my MySQL login information (different from the admin user login information) and that’s when I saw the first signs that something was seriously wrong. The user with the “admin” user name was indeed listed in the table of users as expected, but apart from the user name and password, all its other fields were totally empty. There was no e-mail address in the e-mail field, no first name, no last name—yet all those things were supposed to be there. I certainly had not removed them myself.

In the WordPress table for users, the passwords themselves are listed in an encoded form that makes them impossible for ordinary humans to decipher. (I think it has to do with some kind of encoding scheme called MD5, which creates something called a “hash”…) So I couldn’t just read my admin password and see if it was different from the one I had.

What I was able to see, however, was, by comparing the current values for the “admin” record in the table of users to a recent backup (dump) of my WordPress tables that I had locally, that not only were the other fields empty when they should have contained my personal information, but the “hash” for the password was indeed different from the one in my backup.

So obviously something happened since that last backup (on Friday) that somehow caused WordPress to reset my admin user profile entirely back to its default values, with a simple “admin” user name and a new password, and no e-mail address or URL or first name or last name.

At this point, I figured that one of the reasons why WordPress refused not just to let me log in as admin, but also to send me my admin password by e-mail was that the field for the e-mail address for the “admin” user was empty. When you try to get WordPress to send you an e-mail with your password, you have to provide both your user name and the e-mail address for that user name. Since my “admin” user name had no e-mail address, and I was providing an e-mail address when filling out the form to get WordPress to send me an e-mail with the password, the user name/e-mail address combination indeed did not match the one in the table, which was a user name “admin” with no e-mail address.

I didn’t think of trying to get WordPress to send me an e-mail with my password by just putting “admin” in the user name field and nothing in the e-mail address field, so I don’t know if that would have worked. It might have.

Instead, I opted to use phpMyAdmin to actually add my e-mail address back in the e-mail address field in the record for this blank “admin” user. It took me a few minutes to figure out how to edit records with phpMyAdmin, which is something that I had never done before, but eventually I was able to (by using the search tool to narrow down the table to a single record, and then there were buttons for editing the values for that record).

After adding my e-mail address to the e-mail address field in the record for user “admin,” I went back to the WordPress web page for getting WordPress to send me my password by e-mail. This time it worked—or rather WordPress sent me an e-mail telling me that someone had requested a password reset for the user “admin.” I approved, and a couple of minutes later I had another e-mail with a new password for the user “admin.” And this time the password worked and I was able to log in again.

I checked my admin profile and indeed everything else was blank. I had to re-enter all the values for all the fields (first name, last name, nickname, URL, etc.). But after that everything was fine again, and WordPress did indeed recognize me again as the admin user “Pierre Igot” who was the sole author of these thousands of blog posts and the manager of the WordPress blog.

I really do not know how this whole thing started. One day, my WordPress blog was working just fine. The next day, without my having done anything, the admin user was reset to its default values, with a new password that I did not know and had no way of retrieving.

Through further web searches on the WordPress site this morning, I was able to determine that I didn’t seem to be the only one to have experienced such a situation, although I didn’t find any indication of what the cause of this problem might be.

I also found a link to a page that provides an alternate way to repair the damage, which is to reset the password itself through phpMyAdmin. It involves a step with that MD5 thing, which uses the new password provided to create the “hash” that ends up being stored in the actual password field.

I guess both approaches (mine and this alternate one) are equally valid. But I still would very much like to know what caused WordPress to reset the admin user in the first place. It certainly is not a very pleasant experience to all of a sudden find yourself locked out of your own blog!

2 Responses to “Weird WordPress bug: admin user reset”

  1. Arden says:

    I also found a link to a page that provides an alternate way to repair the damage, which is to reset the password itself through phpMyAdmin. It involves a step with that MD5 thing, which uses the new password provided to create the “hash” that ends up being stored in the actual password field.

    Instead of resetting your password through phpMyAdmin, simply change the hashed string to match the one in your backups. That will “reset” your password back to what it was before this happened, and you can simply log in and fix your profile.

  2. Pierre Igot says:

    Yes, I thought of that too. But I figured the safest way was to start from scratch and let WordPress handle the password encoding.

Leave a Reply

Comments are closed.