🔐 Reset Ghost Admin Password via MariaDB/MySQL

Lost your Ghost admin password and can’t use email recovery? Here’s a clean, copy-paste friendly way to reset it directly in MariaDB/MySQL.

What you’ll need

• Shell access to your Ghost server
• MariaDB/MySQL credentials (or sudo to run mysql)
• The database name Ghost uses (often ghost_production)
• A strong new password you want to set

1) Find your Ghost database name

On most installs with Ghost-CLI:

# Adjust the path if you installed Ghost elsewhere
cat /var/www/ghost/config.production.json

Look for:

"database": {
  "connection": {
    "database": "ghost_production",
    "user": "ghost",
    "password": "XXXXXXXX"
  }
}

Note the database (e.g., ghost_production) and, if needed, the DB user.

2) Back up the database (don’t skip)

# Replace DB_NAME and DB_USER as needed
mysqldump -u DB_USER -p DB_NAME > ghost-backup-$(date +%F).sql
# Example if you can use root without a user:
# mysqldump -u root -p ghost_production > ghost-backup-$(date +%F).sql

3) Generate a bcrypt hash of your new password

Ghost stores passwords as bcrypt hashes. You’ll set the hash directly in the DB.

Pick a new strong password (example: S0methingMuchStronger!), then generate a bcrypt hash using one of these options:

Option A — Node.js (using bcryptjs, pure JS)

# If npm is available, install bcryptjs (no native build needed)
npm i -g bcryptjs
node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 10))" 'S0methingMuchStronger!'

Option B — Python (if bcrypt module is available)

python3 - <<'PY'
import bcrypt, sys
pwd = b'S0methingMuchStronger!'
print(bcrypt.hashpw(pwd, bcrypt.gensalt(rounds=10)).decode())
PY

Option C — Use this ready-made temporary hash (quickest)

If tooling is a pain right now, you can paste this precomputed bcrypt hash to set the temporary password MyNewGhostPass!2025. Change it immediately after login.

$2b$10$v4grkpfhY5PhKQjw0gHG3.cKbxh8jq69j9lBK4R23i4.thiXareuC

⚠️ Strongly recommended: generate your own hash (Options A/B) rather than using the fallback.

4) Connect to MariaDB and locate your user

# One of these will work depending on your setup
mysql -u root -p
# or
mysql -u DB_USER -p

Inside the MySQL prompt:

-- Use your Ghost database
USE ghost_production;

-- See accounts on the site
SELECT id, name, email, status FROM users;

-- (Optional) If you forgot which account is the Owner:
SELECT u.id, u.email, u.status
FROM users u
JOIN roles_users ru ON ru.user_id = u.id
JOIN roles r ON r.id = ru.role_id
WHERE r.name = 'Owner';

Copy the email (or id) of the account you want to reset.

5) Update the password hash

Replace [email protected] and PASTE_YOUR_BCRYPT_HASH_HERE:

UPDATE users
SET password = 'PASTE_YOUR_BCRYPT_HASH_HERE', status = 'active'
WHERE email = '[email protected]';

Example using the temporary fallback hash/password from Option C:

UPDATE users
SET password = '$2b$10$v4grkpfhY5PhKQjw0gHG3.cKbxh8jq69j9lBK4R23i4.thiXareuC', status = 'active'
WHERE email = '[email protected]';

Tip: If you prefer to target by user id:

UPDATE users SET password = 'PASTE_HASH' WHERE id = 'THE-USER-ID';

6) (Optional but helpful) Clear existing sessions/tokens

Different Ghost versions store sessions/tokens slightly differently. The following commands are safe to try—if a table doesn’t exist, you’ll simply get an error you can ignore.

-- Remove existing login sessions for that user (if table exists)
DELETE FROM sessions
WHERE user_id = (SELECT id FROM users WHERE email = '[email protected]');

-- Clear any existing tokens (password reset, etc.) for that user (if table exists)
DELETE FROM tokens
WHERE user_id = (SELECT id FROM users WHERE email = '[email protected]');

Then exit:

EXIT;

7) Restart Ghost

If you used Ghost-CLI:

cd /var/www/ghost
ghost restart

(Or restart your process manager/service if you run Ghost another way.)

8) Log in and change the password

• Visit https://your-domain.com/ghost/
• Log in with the email you targeted and the new password
  • If you used the fallback hash: MyNewGhostPass!2025
• Immediately change the password in Settings → Staff → (your account)

Troubleshooting

• “Access denied” to DB: Use the DB username/password from config.production.json, or connect as root with sudo mysql if configured.
• Hash looks wrong / login fails: Make sure you used bcrypt (strings start with $2a$, $2b$, or $2y$). Other hashes (like SHA-512 crypt) won’t work.
• Which account is the admin? Use the Owner query above to find the primary owner account.
• Still logged out after update? Make sure you cleared sessions/tokens (Step 6) and restarted Ghost (Step 7).

Security reminders

• Use a unique, long password (and a password manager).
• Re-enable email and test password-reset emails so you don’t need DB edits next time.
• Keep your database backups safe and encrypted.