The complete guide to recovering a user password in concrete5
You can’t log in to your own concrete5 website anymore and it sucks. Whether you lost your credentials (email, username, password) or somebody locked you out of it on purpose, there is almost always a solution. I present you with 7 different possibilities. If you’re in a hurry, don’t want to learn anything, and are ready to play fast and loose, go straight to the last one. All you’ll need is access to the files on your server. Otherwise have a read. Each solution applies to a specific situation and specific concrete5 versions.
Feel free to head directly to any recovery solution you want:
- Reset your concrete5 password and get your reset link by email (all concrete5 versions)
- Reset your concrete5 password and get the reset link from your website’s logs (all concrete5 versions)
- Reset your concrete5 password and get the reset link from your database (all concrete5 versions)
- Change the user’s email in the database then reset your password (all concrete5 versions)
- Use concrete5’s LockPick tool (concrete5 5.5 to 5.7)
- Use concrete5’s SuperUser Recovery tool (concrete5 8)
- The really easy, all-powerful, potentially dangerous way (concrete5 5.7 and 8)
Before you start
A few important things to know before you start:
- By default, the SuperUser’s username is “admin”
- The SuperUser name could have been changed to anything else in concrete5 version 5.7 and 8
- By default, the SuperUser has an ID of 1
- That SuperUser ID could have been changed to something else and that would most likely indicate foul play
Reset your concrete5 password and get your reset link by email
Works for concrete5 versions: any version
Works for accounts: any account
What you need:
- Know the email linked to the account
- Have access to the email linked to the account
- Your website Is sending emails correctly
This is simply the option provided by concrete5 and it’s the easiest one. If you have all 3 of the above requirements covered just go to your login page and click on the “Forgot Password” link.
If you’re using concrete5 before version 5.7 your reset form will be right below the login form on your login page as shown in the following screenshot.
On the next screen simply follow the instructions.
You will receive an email with a link to follow to reset your concrete5 password. That link is only valid for a few hours. Click on the link and you’ll get to the password reset form itself. Again, just follow the instructions.
Be aware that if you entered the wrong email or if emails are not sending correctly from your email, you won’t get any error messages. If that’s the case you might want to check your email address or try another option.
Reset your concrete5 password and get the reset link from your website’s logs
Works for concrete5 versions: any version
Works for accounts: any account
What you need:
- Have access to your website’s dashboard and to the logs
- Know the email linked to the account
If the option above didn’t work because emails are not sending or you don’t have access to the email you can try this one. Just make sure you still have access to your dashboard which is possible if you checked the box to remain logged in for 14 days during your last log in.
By default concrete5 logs all emails sent from your website. I’m going to guess you didn’t disable that option which can be found on the “Logging Settings” page /dashboard/system/environment/logging. Or just type “logging” in your intelligent search box.
First, follow the steps described above to have the reset email sent.
Once that’s done browse to your dashboard “Logs” page /dashboard/reports/logs or just type “logs” in your intelligent search box to find it.
There you will most likely find an entry for the email itself followed by an entry for an error message concerning said email. If you have that error message, that’s the easiest, it will show you the link and you’ll just have to click it and follow the instructions as explained above.
If you don’t have that error message but you have the email log, you will see something like this:
=0A=0ADear admin,=0A=0AYou have requested a new password for the site Co=
ncrete5 8.5.0 =0A=0AYour username is: admin=0A=0AYou may change your pas=
sword at the following address:=0A=0Ayour-website.com/index.php/lo=
gin/callback/concrete/change_password/b974f3a1b4d5a6b8b9d62703aabcbbb444=
c06b4a1ee913f840003978e83a8458=0A=0AThanks for browsing the site!=0A=0A 2 things to keep in mind here:
- the URL is to be found between the characters =0A=0A
- all equal signs = found within the URL itself have to be deleted
From the example above, I can see my URL—between two sets of =0A=0A—is:
your-website.com/index.php/lo=
gin/callback/concrete/change_password/b974f3a1b4d5a6b8b9d62703aabcbbb444=
c06b4a1ee913f840003978e83a8458 I then remove the equal signs = to end up with one URL like so:
your-website.com/index.php/login/callback/concrete/change_password/b974f3a1b4d5a6b8b9d62703aabcbbb444c06b4a1ee913f840003978e83a8458 Just load the URL you obtained in your browser and you’ll get to the password reset screen where you will simply follow the instructions.
I know the chance that you’re still logged in to your dashboard is a slim one so if that’s not the case but you have access to your website’s database, look at the next option.
Reset your concrete5 password and get the reset link from your database
Works for concrete5 versions: any version
Works for accounts: any account
What you need:
- Have access to your website’s database
- Know the email linked to the account
This one works the same way as the previous one. You’re going to request a password reset and you need to get the URL that allows you to go through with the reset.
But this time instead of getting the URL from your dashboard’s Logs page, you’ll get it straight from your Database.
First, make sure you do have access to your website’s database. Then read the explanations above and when it’s time to get the data you need, come back here and read on.
If you followed the steps correctly, you have used your website’s password reset form and now you just need to get that email message back.
Access your database and look for the aptly-named “Logs” table.
In this screenshot, I am using cPanel which is most likely what you’ll be using as well. If not the principles are the same anyway so you should be able to follow along.
- You’re looking for the latest entries so browse to the end of the listing (page 43 for me)
- Look under the “message” column and you’ll find the entries you need. As explained above you’ll get the email itself and maybe an error message
- Click on the “Edit” button next to the one you want to check out
- Follow the steps described previously to get the URL you need out of that data
- Just follow that URL and reset your password
Change the user’s email in the database then reset your password
Works for concrete5 versions: any version
Works for accounts: any account
What you need:
- Have access to your website’s database
- Your website is sending emails correctly
- Or at least fulfill requirements for any of the previous 3 password recovery possibilities
If your only problem is that you don’t have access to the email registered in your account, the solution might be to simply change that email to one you control and then request a normal password reset.
You do need to be able to identify the account you want to modify so you must know either the existing email or username.
Very simply, access your website’s database and look for the table named “Users”
Look for the user you want to modify either by email under the column “uEmail” or by username under the column “uName”
Once retrieved, just click on the “Edit” button next to it, modify the email to another one you control and have access to and save.
Once that’s done and provided your website sends email correctly, follow the steps to a normal password reset request.
If your website is not sending emails correctly and since you’re already in your database, you can always try the third possibility described above.
Use concrete5’s LockPick tool
Works for concrete5 versions: 5.5 to 5.7
Works for accounts: any account
What you need:
- Have access to your website’s server and files
- Know the username for the account you want to recover
LockPick is a tool that was developed by Mike Lay (a.k.a. mkly) to easily modify any concrete5 user password as long as you know the username.
It will work for any concrete5 version except version 8.
It is also supremely easy to use. Just read the tool’s ReadMe File and follow the instructions.
And make sure you delete the tool immediately after using it.
Use concrete5’s SuperUser Recovery tool
Works for concrete5 versions: 8 only
Works for accounts: SuperUser (admin) account only
What you need: Have access to your website’s server and files
Concrete5 SuperUser Recovery Tool (well that’s a mouthful 😴) was developed by yours truly 😎 and it goes further than anything in existence for recovering your concrete5 SuperUser account.
I built this tool after one too many times witnessing attempts by unethical developers to stop their clients from getting full access to their own website.
With this tool, you can change your concrete5 SuperUser password, email, and username (or any combination of them) even if:
- you don’t remember your password, your username, or your email
- the SuperUser username was changed from “admin” to something else and you don’t know what it is
- the SuperUser account was deleted (yes it’s possible)
- the SuperUser account was deleted and another user was given the “admin” username
It’s not as easy to install as LockPick but it’s not that complicated either. Make sure you read the ReadMe File and follow the instructions.
Admittedly I Iike writing long-winded explanatory texts that go on and on explaining in excruciating details every little minute intricacies and particularities of the situation at hand without any consideration for efficiency or any effort to spare your precious time. A bit like this sentence 😏… So if you just want to know how to use the damn tool go straight to the how-to explanation in the ReadMe file.
The really easy, all-powerful, potentially dangerous way
Works for concrete5 versions: 5.7 and 8
Works for accounts: you’ll be able to do anything
What you need: Have access to your website’s server and files
Simply put this last option will allow you to automatically log in as the SuperUser and do whatever the hell you want to do including changing any user’s username, email, or password.
The only way this solution is going to fail is if the SuperUser account was deleted. In that case, you should check the solution above using my SuperUser Recovery tool.
This solution is super easy but—although I made it a bit safe—if you’re not careful or don’t know what you’re doing you might end up allowing anybody to log in to your website as the SuperUser.
To avoid that unenviable fate make sure to follow the instructions to the letter.
Here’s the code:
// In v8 $app will be available but not sure for 5.7 so let's not take any chances
if (!isset($app) || !is_object($app)) {
$app = \Concrete\Core\Support\Facade\Application::getFacadeApplication();
}
// Get the current request object
$request = $app->make(\Concrete\Core\Http\Request::class);
// Get the security password and ensure it only contains letters and numbers
$pass = $app->make("helper/text")->alphanum((string) $request->request("pw"));
// Check that we have the correct password
// If the password is correct login as the SuperUser
if ($pass === "xxxxxx") {
User::loginByUserID(USER_SUPER_ID);
} To use it do this:
- modify the code by replacing
xxxxxxwith a password and keep the quotation marks around it. This has nothing to do with your user password, it is simply to stop others from using the code on your website - Add the modified code to the file
application/bootstrap/app.phpon your server, right after the opening<?phptag - Visit any page on your website and at the end of the URL in the address bar add
?pw=xxxxxxusing the password you set in step 2 instead ofxxxxxx - Push enter to load the page with the added query string et Voila! You’re logged in as the SuperUser
- Immediately delete that code from
application/bootstrap/app.phpI’m not joking, really do it 😤!
