Many times when we receive some type of attack or forget the password for our hosted website, we will have to recover the password we have for Super Administrator in Joomla!
As some may know, in the early versions of Joomla! 1.5 we could recover passwords easily, while in the latest versions of Joomla! 1.5 and 2.5, with the improvement of security, it became more difficult to carry out this task. There are several methods to recover and/or generate a new key for the Joomla administrator. Here we will see some of them.
Method 1:
If we have access to the user's registration email, the quickest option is to use the remember password function that comes by default with Joomla!. For this we will only have to access the following address on our website:
http://tusitio.com/index.php?option=com_users&view=reset
We will have to replace yoursite.com with the site address. This option is also compatible with version 1.5.
Method 2:
In Joomla 1.6 and later
If you have access to the configuration.php file of the Joomla installation on your web hosting, you can recover the password using the following method:
1. Connect via FTP by using an FTP client (coreftp, filezilla, etc, or another FTP client) and look at the permissions on the file (CHMOD). If the permissions are 444 or some other different value, change the permissions from configuration.php to 644. This will help prevent problems when you upload or modify that file.
2. Download the configuration.php file to your machine.
3. Open the configuration.php file that you downloaded with a notepad++ type editor and add this line:
public $root_user=’myname’;
at the bottom of the file, where myname is the user with administrator access whose password you know. A user who has an Author level or higher can also be placed in place of an administrator user.
4. Save the configuration.php file and upload it again to the web host. You can leave the permissions at 644.
This user will temporarily be a Super Administrator user.
5. Enter the administration part of Joomla and change the password of the administrator user that you forgot or create a new super admin user. If you create a new user it is a good idea to block or delete the old user, since no one will use it and it is a possible security hole.
6. When you finish, be sure to use the “Click here to try to do it automatically” link that appears in the alert drawer to remove the line you added to the end of the configuration.php file. If the use of that link is not successful, then you must delete it yourself using the text editor. If so, don't forget to upload the modified file again.
7. Using your FTP program, verify that the permissions of the configuration.php file are appropriate: 444. If you manually removed the line, don't forget to change the permissions to 444.
If you do not have a user whose password you remember, then it will not be possible to use this method and it will be necessary to change it directly in the database, as explained in the next part of this article.
Method 3:
If the administrator user is still in the database, the simplest option is to change the password in the database to a known value. This method requires access to a database via phpMyAdmin or any other online SQL client client.
1. Navigate to your phpMyAdmin and select the database for the Joomla site. It will show you the database tables on the left side of the screen.
2. Click on the table “jos_users” in the list of tables (Note: you can have a prefix other than jos)
3. Click the Browse button on the toolbar. This will display the users that exist for that site.
4. Find the user you want to change the password for and click the Edit icon on that line.
5. A form will be displayed that will allow you to change the password field. Copy the following value:
d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199
In the password field and click on the Go or Continue button. phpMyAdmin will display the message “Affected rows: 1.” At this point, the password should already be changed to “secret”.
6. Enter the administration of your Joomla site using the username and password you entered. Change the password to a more secure value. Check the users in the User Manager to make sure they are legitimate users. If your site has been hacked, it is best to change all the passwords on your site.
Method 4:
Add a New Super Administrator User
If changing the password does not work, or you are not sure which user is a member of the Super Administrator group, you can use the following method to create a new user.
1. Navigate the phpMyAdmin and select your Joomla site database. The tables will be displayed from l
left side of the screen.
2. Click the SQL button in the tools displayed to execute a SQL query on the selected database. The “Run SQL query/queries on database” field will be displayed.
3. Delete any text that is inside the field and copy and paste one of the following queries and click the Go button to execute the query and add a new administrator user to the table.
4. Use query version 1.6 for a site using Joomla 1.6.xx and use query version 1.5 for Joomla 1.5.xx sites
Note: The following code uses jos_ as the prefix in the table name, as it is the default Joomla prefix. If you changed the prefix when installing your Joomla site, don't forget to modify the prefix here as well.
SQL code for Joomla 1.6.xx, 2.5.xx and 3.0.x
INSERT INTO `jos_users`
(`name`, `username`, `password`, `params`)
VALUES ('Administrator2', 'admin2',
‘d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199′, ”);
INSERT INTO `jos_user_usergroup_map` (`user_id`,`group_id`)
VALUES (LAST_INSERT_ID(),’8′);
SQL code for Joomla 1.5.xx
INSERT INTO `jos_users`
(`name`, `username`, `password`, `usertype`, `gid`, `params`)
VALUES ('Administrator2', 'admin2',
‘d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199′,
‘Super Administrator’, 25, ”);
INSERT INTO `jos_core_acl_aro`
VALUES (NULL, 'users', LAST_INSERT_ID(), 0, 'Administrator2′, 0);
INSERT INTO `jos_core_acl_groups_aro_map`
VALUES (25, ”, LAST_INSERT_ID());
When executing these queries or queries, you should already have the option to enter the Joomla administrator using the user “admin2″ and the password “secret”. Once you can log in, use the User Manager to change the password to a more secure value and don't forget to add an existing email account to the user. If you suspect that you have been hacked, don't forget to check that all existing users are legitimate, especially any member of the Super Administrator group.
Some other alternative MD5 password values are:
- admin = 433903e0a9d6a712e00251e44d29bf87:UJ0b9J5fufL3FKfCc0TLsYJBh2PFULvT
- secret = d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199
- OU812 = 5e3128b27a2c1f8eb53689f511c4ca9e:J584KAEv9d8VKwRGhb8ve7GdKoG7isMm
Important:
These passwords here are on a publicly accessible page, so it is not advisable to use them other than to recover your username. You should change them to a more secure value as soon as you can log into your Joomla site administration.