Managing user passwords in WordPress
WordPress has powerful built-in tools for managing user passwords from within the dashboard, command line and the login page itself. These secure and easy to use password management tools are useful in multiple situations, for example in the case of a forgotten or stolen password. The command line tools are especially useful with sites that have tens or even hundreds of users and managing the passwords one by one would become too time consuming.
The forgotten password feature is the easiest way for a user to create a new password on their own. The tool can be found on the login page of WordPress, which can be accessed by adding /wp-admin to the end of the WordPress home URL, for example https:example.com/wp-admin
After clicking the forgotten password link below the login form, the user is asked for their username or email, after which a password reset link is email to them and they can create a new password for their account.
The administrator resets the password
An administrator can change the password for any user on the site and send the new password to the user. The administrator can also prevent a user from logging in without deleting the user by changing their email address and password. As a result, the posts written by the user remain, but the user cannot login or reset their password anymore.
Command line password management
In a case where a site has multiple users and, for example, all the passwords need to be reset, the command line is the best way to do this. To reset the password of all the users on the site, start by connecting to the WordPress site with SSH and using the command:
The passwords have now been reset. We recommend that you also run the following command to log everyone out, in case a user was logged in at the time of the password change:
wp-reset-all-sessions<p>Now that all the passwords have been changed and the active sessions terminated everyone needs to create a new password the next time they try to login to the site. A procedure like this is necessary to ensure that only people who are supposed to have access to the site can login.</p>