How to Reset Passwords for All Users in WordPress

Are you worried that a compromised account might put your entire WordPress website at risk? It is a scary thought, but taking immediate action can stop a security breach in its tracks.

We have managed high-traffic websites for over a decade, so we know the panic that comes with a suspected hack. One of the most effective ways to lock out bad actors is to force a password reset for every single user on your site.

In this guide, we will show you how to easily reset passwords for all users in WordPress and automatically notify them via email.

Why Reset Passwords for All Users in WordPress?

If you think that your WordPress website has been hacked, then it is a good idea to reset the passwords of all users as soon as possible. This will help prevent the hacker from accessing your website or your users’ accounts.

You should also reset passwords for users if you are migrating your site to a new host to prevent any problems with your users’ accounts during the migration process.

Resetting passwords to replace them with stronger ones is also beneficial for overall WordPress security.

Having said that, let’s see how to easily reset passwords for WordPress users.

How to Reset Passwords For All Users in WordPress

First, you need to install and activate the Emergency Password Reset plugin. For detailed instructions, you may want to see our beginner’s guide on how to install a WordPress plugin.

Upon activation, head over to the Users » Emergency Password Reset page from the WordPress admin sidebar.

Once you are there, you can start by typing the email subject for the email that will be sent to your users upon password reset next to the ‘Email Subject’ option.

After that, type the From Name and message that will be sent to the subscribers in the email.

By default, the plugin uses the admin email address to send password reset emails to all the users. However, if you don’t want to use the administrator email, then you can type any email address of your choice into the field.

After that, just click the ‘Save Settings’ button to store your settings.

Finally, click the ‘Reset All Passwords’ button.

The plugin will now automatically change all users’ passwords and send an email notification containing their new password.

If, for some reason, the user does not get their password in the email, then they can easily recover it. All they need to do is click on the ‘Lost your password’ link on the user login page.

For detailed instructions, you may want to see our WordPress tutorial on how to recover your password in WordPress.

After resetting all passwords, we recommend that you change your WordPress security keys, also known as SALTs. To learn more about them, please see our beginner’s guide on WordPress security keys and how to change them.

Changing the security keys will end all sessions for logged-in users, so if a hacked user was logged in, then they will automatically be logged out.

Bonus: How to Improve WordPress Login Security

There are a lot of things you can do to improve your WordPress login security.

First, you need to enforce strong passwords for users on your WordPress site. You can also add an extra layer of security by password-protecting your WordPress admin (wp-admin) directory.

Another common technique used by hackers is to run scripts that use random passwords in an attempt to crack your WordPress password.

One possible solution to slow down most (if not all) such attacks is by limiting login attempts or adding Two-Factor Authentication (2FA) to your site.

You can also use Cloudflare on your website. It is the best WordPress security solution that helps you harden WordPress security and scan your website for common threats.

For more details on protecting your website, you may want to see our ultimate WordPress security guide.

Frequently Asked Questions About Resetting WordPress Passwords

Here are some of the most common questions our readers ask about managing passwords and user security in WordPress.

1. Will resetting passwords automatically log users out?

Resetting a password ensures that the old password cannot be used again. However, if a user is currently logged in, they might stay logged in until their browser session expires.

To force an immediate logout for everyone, you should update your WordPress security keys (SALTs) as mentioned in this guide.

2. What if my users do not receive the password reset email?

WordPress relies on PHP mail to send emails, which is often blocked by email providers or marked as spam.

If your users are not getting their new passwords, you should install WP Mail SMTP. It fixes WordPress email delivery issues by routing your emails through a proper mail server.

3. Does the Emergency Password Reset plugin affect administrators?

Yes. When you use the ‘Reset All Passwords’ feature, it changes the password for every single account on your website. This includes your own administrator account. You will receive an email with your new password just like everyone else.

4. Can I reset the password for just one specific user?

Yes. If you do not need to reset everyone’s password, you can go to Users » All Users in your WordPress dashboard. Hover over the specific username, click ‘Edit’, and generate a new password in the Account Management section.

Additional Resources

Now that you have reset passwords for all users, you might want to learn more about improving your website security. Here are some other guides tailored for you:

• The Ultimate WordPress Security Guide – Step by Step
• How to Force Strong Passwords on Users in WordPress
• How and Why You Should Limit Login Attempts in Your WordPress
• How to Add Two-Factor Authentication in WordPress
• Beginner’s Guide to WordPress User Roles and Permissions

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.