Frequently Asked Question
How to reset the administrator password (Super User) on a Joomla 3.x+ Site
Last Updated 5 years ago
There are times, especially when restoring or recovering compromised sites that you need to reset the Super User password.
To do this you will need access to the database that drives the joomla installation. You can find this database by checking the configuration.php file in the website root directory.
Information Required from configuration.php
Steps to Reset Password using the shell
Steps to Reset the Password using a GUI tool
There are many tools that allow GUI access to the database and these vary by database. An example would be MySQL Workbench, PHPMySQLAdmin, Navicat, EMS and more but this article assumes you have a basic understanding of how to use these tools.
In both cases, the new password for the first username will be reset to admin and you MUST change this as soon as you login successfully to the back end.
Compromised Sites and Recovery
When a site is compromised there are often nefarious changes to the users table as well as user_usergroup_map and usergroups and its beyond the scope of this article to cover all recovery steps but we'll aim to give a basic overview of how ACL works in Joomla so you can resolve it yourself. In all the information below the word prefix should be replaced by the $dbprefix value above.
Table prefix_usergroups lists the uaergroups on the Joomla installation. By default there are 9 groups, with id=1 being Public, and id=8 being Super Users. Here's what it should look like:
+----+-----------+-----+-----+---------------+
| id | parent_id | lft | rgt | title |
+----+-----------+-----+-----+---------------+
| 1 | 0 | 1 | 18 | Public |
| 2 | 1 | 8 | 15 | Registered |
| 3 | 2 | 9 | 14 | Author |
| 4 | 3 | 10 | 13 | Editor |
| 5 | 4 | 11 | 12 | Publisher |
| 6 | 1 | 4 | 7 | Manager |
| 7 | 6 | 5 | 6 | Administrator |
| 8 | 1 | 16 | 17 | Super Users |
| 9 | 1 | 2 | 3 | Guest |
+----+-----------+-----+-----+---------------+
The key thing here is the id of Super Users which should be 8.
The table prefix_user_usergroup_map contains mapping between groups users. The first user in your prefix_users table should be mapped in this table to group 8. An example of what you'll see in here is...
+---------+----------+
| user_id | group_id |
+---------+----------+
| 220 | 8 |
| 221 | 8 |
+---------+----------+
What's important here is that the id of the Super User in prefix_users must be mapped to group_id=8. If not then you're not going to have Super User access.
There are many possible ways a Joomla site can be hacked around after compromise, and the best advice here is to seek professional help to ensure there's nothing left behind that would permit a remote user to re-compromise the site, but if your looking for a DIY solution then you should start by checking for components (Modules/Components/Plugins) that you don't recognise being enabled.
select extension_id, name, type, access from zl67r_extensions where enabled=1;
and study this output carefully. Use google and check any you don't recognise.
Other Vectors
Joomla, for whatever reason doesn't have any form of file integrity verification so its easy for a hacker to insert code into any component or even the core over-riding behaviour to their benefit, but you can greatly mitigate this by installing a full Joomla setup over the top of your existing site, but there are things to watch out for. Firstly, you need to ensure you have a full backup of your site (both database and all files in the website. Then unpack a virgin joomla (same version as installed) into the root of the website. Restore your configuration.php from your backup and then try and login to the backend of your site. This should work and at this point all the core and joomla components are back to factory values. You then need to restore customisations such as css, and html until its all looking as it should.
Again, if your site is for your business, then I strongly recommend you seek professional help with this. We of course offer this so raise a ticket at the HelpDesk and we'll take a look for you.
To do this you will need access to the database that drives the joomla installation. You can find this database by checking the configuration.php file in the website root directory.
Information Required from configuration.php
- $dbtype - Usually 'mysqli' indicates the type of database. mysqli indicates a MySQL or MariaDB database.
- $host - Usually '127.0.0.1' is the address of the database server.
- $user - The username used to authenticate with the database.
- $password - The password used to authenticate with the database.
- $db - This is the database name.
- $dbprefix - This is the table name prefix. In Joomla every table is prefixed by this and you'll need it.
Steps to Reset Password using the shell
- Assuming you have shell access to the host then you'll need to invoke the mysql cli by using mysql -u username -p (the username is the $user above).
- You'll be prompted for the password which is $password above.
- Once connected, you'll see the prompt (MariaDB [(none)]> for MariaDB, MySQL> for mysql. Now we need to use the correct database with the use command.... use database (where database is the value from $db above.
- The server will respond with "Database changed". Now we need to find the admin users from the users table by using the command... select * from prefix_users; (where prefix is $dbprefix above and don't forget the ; at the end).
- You'll now have a list of users, the first one listed is generally the Super User. Now we need to reset its password so note the id as we'll need that next.
- Now send the command... update prefix_users set password='$2y$10$JszAMznv7U2Q4VETQdw7n.CX/HPekafC8sxa9.n0V2gp/t/.xvHYi' where id=100; (note replace prefix with the value from $dbprefix and id with the first user id.)
- and that's it, now visit your site's administrator url and try the username from the first id, and the password admin
Steps to Reset the Password using a GUI tool
There are many tools that allow GUI access to the database and these vary by database. An example would be MySQL Workbench, PHPMySQLAdmin, Navicat, EMS and more but this article assumes you have a basic understanding of how to use these tools.
- Firstly connect to the database server indicated by the $host value above.
- Once connected, authenticate with the $user and $password above.
- Once authenticated switch to the database named in $db above.
- In this database you'll find a bunch of tables, find and select the one called prefix_users (where prefix is the $dbprefix value above).
- Edit this table, locate the first user which is usually the Super User and change the password column to be $2y$10$JszAMznv7U2Q4VETQdw7n.CX/HPekafC8sxa9.n0V2gp/t/.xvHYi
- Commit/save the change and you're done.
In both cases, the new password for the first username will be reset to admin and you MUST change this as soon as you login successfully to the back end.
Compromised Sites and Recovery
When a site is compromised there are often nefarious changes to the users table as well as user_usergroup_map and usergroups and its beyond the scope of this article to cover all recovery steps but we'll aim to give a basic overview of how ACL works in Joomla so you can resolve it yourself. In all the information below the word prefix should be replaced by the $dbprefix value above.
Table prefix_usergroups lists the uaergroups on the Joomla installation. By default there are 9 groups, with id=1 being Public, and id=8 being Super Users. Here's what it should look like:
+----+-----------+-----+-----+---------------+
| id | parent_id | lft | rgt | title |
+----+-----------+-----+-----+---------------+
| 1 | 0 | 1 | 18 | Public |
| 2 | 1 | 8 | 15 | Registered |
| 3 | 2 | 9 | 14 | Author |
| 4 | 3 | 10 | 13 | Editor |
| 5 | 4 | 11 | 12 | Publisher |
| 6 | 1 | 4 | 7 | Manager |
| 7 | 6 | 5 | 6 | Administrator |
| 8 | 1 | 16 | 17 | Super Users |
| 9 | 1 | 2 | 3 | Guest |
+----+-----------+-----+-----+---------------+
The key thing here is the id of Super Users which should be 8.
The table prefix_user_usergroup_map contains mapping between groups users. The first user in your prefix_users table should be mapped in this table to group 8. An example of what you'll see in here is...
+---------+----------+
| user_id | group_id |
+---------+----------+
| 220 | 8 |
| 221 | 8 |
+---------+----------+
What's important here is that the id of the Super User in prefix_users must be mapped to group_id=8. If not then you're not going to have Super User access.
There are many possible ways a Joomla site can be hacked around after compromise, and the best advice here is to seek professional help to ensure there's nothing left behind that would permit a remote user to re-compromise the site, but if your looking for a DIY solution then you should start by checking for components (Modules/Components/Plugins) that you don't recognise being enabled.
select extension_id, name, type, access from zl67r_extensions where enabled=1;
and study this output carefully. Use google and check any you don't recognise.
Other Vectors
Joomla, for whatever reason doesn't have any form of file integrity verification so its easy for a hacker to insert code into any component or even the core over-riding behaviour to their benefit, but you can greatly mitigate this by installing a full Joomla setup over the top of your existing site, but there are things to watch out for. Firstly, you need to ensure you have a full backup of your site (both database and all files in the website. Then unpack a virgin joomla (same version as installed) into the root of the website. Restore your configuration.php from your backup and then try and login to the backend of your site. This should work and at this point all the core and joomla components are back to factory values. You then need to restore customisations such as css, and html until its all looking as it should.
Again, if your site is for your business, then I strongly recommend you seek professional help with this. We of course offer this so raise a ticket at the HelpDesk and we'll take a look for you.
