Under the hood, the PHP script executes a full Drupal bootstrap in order to obtain access to the necessary functions that generate the administrative password and then update the database with the new password that you specify via the URL when you execute the script through the web browser.
Note: leaving this password reset script on your server after resetting the password constitutes a highly critical security hole that enables anyone to reset your administrator password. Use this script carefully, and always delete the script after you're finished using it.
- First, create a file with a random name (gh34tu9.php for example)
- Copy and paste the following contents into the file, and save the file
- Upload the file to the root of the Drupal installation directory (i.e., where index.php, update.php, robots.txt and other files and directories exist)
- Execute the script, by requesting the file in a web browser using the following URL pattern:
- In the above URL,
- replace example.com with your actual domain name,
- replace gh34tu9.php with the actual file name that you specified in step one above,
- replace mypassword with the desired new password.
<!--php
define('DRUPAL_ROOT', getcwd());
require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
require_once DRUPAL_ROOT . '/includes/password.inc';
if (isset($_GET['pass']) && !empty($_GET['pass'])) {
$newhash = user_hash_password($_GET['pass']);
}
else {
die('Retry with ?pass=PASSWORD set in the URL');
}
$updatepass = db_update('users')
--->fields(array(
'pass' => $newhash,
// Uncomment the following lines to reset the administrative username and/or email address, if necessary.
// 'name' => 'admin',
// 'mail' => 'yourmail@example.com'
))
->condition('uid', '1', '=')
->execute();
print "Done. Please delete this file immediately!";
drupal_exit();
?>
http://example.com/gh34tu9.php?pass=mypassword
Finally, delete the file from the Drupal installation root directory.
Ref: https://drupal.org/node/1556488
