Forgot your admin password?

Use the emergency reset path. No login required — designed for the case where the operator is locked out of every admin account.

Web flow (cPanel File Manager)

If you have file-system access to your portal install (through cPanel, FTP, or similar) but not a working SSH shell, use this flow:

1
Open your cPanel File Manager and navigate to the portal's data/ folder.
2
Create a new file named .reset-token.txt (note the leading dot — Apache treats this as a hidden file and won't serve it on hosts that ship the default FilesMatch "^\." directive).
3
Edit the file and paste in any random string you choose. Treat the value like a one-time password — long, unguessable, not reused elsewhere. Save the file.
4
Visit https://<your-portal>/bin/reset-admin-password.php?token=<that-same-string>. The page will list every admin and dealer account so you can pick the one to reset.
5
Set a new password (12+ chars, mixed case, with a digit), confirm it, and you'll be redirected to /login.php with a success flash.
6
The token file is deleted on success — to run another reset you have to re-create data/.reset-token.txt with a fresh value.

SSH flow (no token required)

CLI access implies server-level trust, so the token file is not required when running from the shell.

# List every admin / dealer account:
php bin/reset-admin-password.php --list

# Reset a known account's password:
php bin/reset-admin-password.php --email admin@example.com \
    --password '<new-strong-password>'

# Create a brand-new admin (use when no admins exist at all):
php bin/reset-admin-password.php --create-admin \
    --email admin@example.com --name 'Admin' \
    --password '<new-strong-password>'
What this does
If you have no access to the server at all — no cPanel, no SSH, nothing — contact whoever hosts the portal. There is no remote, unauthenticated way to reset the password, by design.

Reset done but still can't log in?

Use the Login Diagnostic Inspector to see exactly which check is rejecting the credentials — wrong password, account locked, IP rate-limited, account inactive, etc. It runs the same gates Auth::login() runs, in read-only mode (it never increments the failure counter or writes to audit_log on a probe).

1
In data/, create .diagnose-token.txt with any random string.
2
Visit https://<your-portal>/bin/diagnose-login.php?token=<that-same-string>.
3
Dry-run the email + password the operator is trying. Each check (user_exists, password_verifies, user_not_locked, ip_rate_limit, ip_blocked) reports pass/fail with detail so the failing one is obvious.
4
Inline buttons let you clear a rate-limit row, unblock an IP, or clear a user lockout without touching the database directly.
5
Delete data/.diagnose-token.txt when you're done. (Unlike the reset tool, this one does not auto-delete — diagnosing often needs more than one look.)

CLI alternative (no token required): php bin/diagnose-login.php --email <e> --password <p>, php bin/diagnose-login.php --recent-logins, or php bin/diagnose-login.php --rate-limits.


← Back to login