Generate a strong password or enter your own – and get the WordPress-compatible hash ($P$) you can paste into phpMyAdmin when you're locked out. Everything runs in your browser, nothing is transmitted.
Paste directly into the wp_users.user_pass column (e.g. via phpMyAdmin). Valid on all WordPress versions; WP 6.8+ upgrades it to bcrypt on the next login.
Runs entirely in your browser
This tool sends nothing to a server. Password and hash are generated locally with your browser's Web Crypto API and are never stored or transmitted.
WordPress never stores passwords in plain text – it stores a hash in the wp_users.user_pass database column. If you've lost dashboard access (forgotten password, broken email delivery, hacked site), you can recover by setting the hash directly in the database.
Copy the $P$ value generated below and set it as the user_pass value of your user in phpMyAdmin (or via SQL). Then log in with the plain-text password.
UPDATE wp_users SET user_pass = '$P$…' WHERE user_login = 'admin';
Compromised credentials are one of the most common ways WordPress sites get hacked. Bots hammer /wp-login.php around the clock with default and dictionary passwords.
A random password of at least 16 characters mixing upper/lowercase letters, numbers and symbols makes brute-force practically hopeless. Use a unique password per account and a password manager – and enable two-factor authentication.
Yes. Password and hash are created exclusively in your browser (Web Crypto API). There is no server endpoint; nothing is transmitted or stored.
It's the phpass "portable hash" WordPress itself uses (MD5-based, 8192 rounds). The value fits exactly into the wp_users.user_pass column and is what WordPress expects when checking a password.
Copy the $P$ hash, open phpMyAdmin (or your DB), and set the user_pass field of your user in the wp_users table to this value. Then log in with the plain-text password.
Yes. The $P$ hash is accepted by all WordPress versions. From WordPress 6.8 it is automatically upgraded to bcrypt on the next successful login.
No. The tool is fully client-side – whatever you generate or enter stays on your device.