Lost your Ghost admin password and can’t use email recovery? Here’s a clean, copy-paste friendly way to reset it directly in MariaDB/MySQL.

What you’ll need

• Shell access to your Ghost server
• MariaDB/MySQL credentials (or sudo to run mysql)
• The database name Ghost uses (often ghost_production)
• A strong new password you want to set

1) Find your Ghost database name

On most installs with Ghost-CLI:

# Adjust the path if you installed Ghost elsewhere
cat /var/www/ghost/config.production.json

Look for:

"database": {
  "connection": {
    "database": "ghost_production",
    "user": "ghost",
    "password": "XXXXXXXX"
  }
}

Note the database (e.g., ghost_production) and, if needed, the DB user.

2) Back up the database (don’t skip)

# Replace DB_NAME and DB_USER as needed
mysqldump -u DB_USER -p DB_NAME > ghost-backup-$(date +%F).sql
# Example if you can use root without a user:
# mysqldump -u root -p ghost_production > ghost-backup-$(date +%F).sql

3) Generate a bcrypt hash of your new password

Ghost stores passwords as bcrypt hashes. You’ll set the hash directly in the DB.

Pick a new strong password (example: S0methingMuchStronger!), then generate a bcrypt hash using one of these options:

Option A — Node.js (using bcryptjs, pure JS)

# If npm is available, install bcryptjs (no native build needed)
npm i -g bcryptjs
node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 10))" 'S0methingMuchStronger!'

Option B — Python (if bcrypt module is available)

python3 - <<'PY'
import bcrypt, sys
pwd = b'S0methingMuchStronger!'
print(bcrypt.hashpw(pwd, bcrypt.gensalt(rounds=10)).decode())
PY

Option C — Use this ready-made temporary hash (quickest)

If tooling is a pain right now, you can paste this precomputed bcrypt hash to set the temporary password MyNewGhostPass!2025. Change it immediately after login.

$2b$10$v4grkpfhY5PhKQjw0gHG3.cKbxh8jq69j9lBK4R23i4.thiXareuC

⚠️ Strongly recommended: generate your own hash (Options A/B) rather than using the fallback.

4) Connect to MariaDB and locate your user

# One of these will work depending on your setup
mysql -u root -p
# or
mysql -u DB_USER -p

Inside the MySQL prompt:

-- Use your Ghost database
USE ghost_production;

-- See accounts on the site
SELECT id, name, email, status FROM users;

-- (Optional) If you forgot which account is the Owner:
SELECT u.id, u.email, u.status
FROM users u
JOIN roles_users ru ON ru.user_id = u.id
JOIN roles r ON r.id = ru.role_id
WHERE r.name = 'Owner';

Copy the email (or id) of the account you want to reset.

5) Update the password hash

Replace you@example.com and PASTE_YOUR_BCRYPT_HASH_HERE:

UPDATE users
SET password = 'PASTE_YOUR_BCRYPT_HASH_HERE', status = 'active'
WHERE email = 'you@example.com';

Example using the temporary fallback hash/password from Option C:

UPDATE users
SET password = '$2b$10$v4grkpfhY5PhKQjw0gHG3.cKbxh8jq69j9lBK4R23i4.thiXareuC', status = 'active'
WHERE email = 'you@example.com';

Tip: If you prefer to target by user id:

UPDATE users SET password = 'PASTE_HASH' WHERE id = 'THE-USER-ID';

6) (Optional but helpful) Clear existing sessions/tokens

Different Ghost versions store sessions/tokens slightly differently. The following commands are safe to try—if a table doesn’t exist, you’ll simply get an error you can ignore.

-- Remove existing login sessions for that user (if table exists)
DELETE FROM sessions
WHERE user_id = (SELECT id FROM users WHERE email = 'you@example.com');

-- Clear any existing tokens (password reset, etc.) for that user (if table exists)
DELETE FROM tokens
WHERE user_id = (SELECT id FROM users WHERE email = 'you@example.com');

Then exit:

EXIT;

7) Restart Ghost

If you used Ghost-CLI:

cd /var/www/ghost
ghost restart

(Or restart your process manager/service if you run Ghost another way.)

8) Log in and change the password

• Visit https://your-domain.com/ghost/
• Log in with the email you targeted and the new password
  • If you used the fallback hash: MyNewGhostPass!2025
• Immediately change the password in Settings → Staff → (your account)

Troubleshooting

• “Access denied” to DB: Use the DB username/password from config.production.json, or connect as root with sudo mysql if configured.
• Hash looks wrong / login fails: Make sure you used bcrypt (strings start with $2a$, $2b$, or $2y$). Other hashes (like SHA-512 crypt) won’t work.
• Which account is the admin? Use the Owner query above to find the primary owner account.
• Still logged out after update? Make sure you cleared sessions/tokens (Step 6) and restarted Ghost (Step 7).

Security reminders

• Use a unique, long password (and a password manager).
• Re-enable email and test password-reset emails so you don’t need DB edits next time.
• Keep your database backups safe and encrypted.

After some digging, I found out the culprit: the router's firewall was blocking connections when using an exit node. Thankfully, I came across a solution in the GL.iNet forum that fixed everything.

Credit to Cfm765 for sharing this fix:

On the MT3000 Admin Panel
Under menu item System->Advanced
Go into the LUCI admin panel then select Network → Firewall.
By default, below you will see 3 zones:
lan > wan
wan > REJECT
guest > wan
Click on “EDIT” on the second one ( wan > REJECT)
Then click on the second top tab “Advanced Settings” and in the covered devices dropdown select tailscale0. Save, Save and apply.

Once I made that firewall change, everything worked perfectly. If you’re dealing with the same issue, give this fix a shot!

Serving your Plex Media Server over HTTPS ensures that your media streams securely to your devices. Let’s Encrypt offers free SSL/TLS certificates that can be integrated into Plex. Here’s a step-by-step guide to set this up:

Step 1: Prerequisites

Before getting started, ensure you have:

• A domain name.
• Access to the server where Plex Media Server is installed.
• Administrative privileges on the server.
• Basic knowledge of the terminal (for Linux-based servers).

Step 2: Install Certbot

Certbot is a tool provided by the Electronic Frontier Foundation (EFF) to easily generate Let’s Encrypt certificates.

Update your package manager:

sudo apt update
sudo apt upgrade

Install Certbot:

sudo apt install certbot

The above instructions are for Ubuntu/Debian.
For other operating systems, consult the Certbot installation instructions.

Step 3: Installing acme-dns-certbot

Start by downloading a copy of the script:

wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py

Change the script permissions:

chmod +x acme-dns-auth.py

Then, edit the file using your favorite text editor and adjust the first line in order to force it to use Python 3:

nano acme-dns-auth.py

Add a 3 to the end of the first line:

#!/usr/bin/env python3
. . .

This is required in order to ensure that the script uses the latest supported version of Python 3, rather than the legacy Python version 2.

Once complete, save and close the file.

Finally, move the script into the Certbot Let’s Encrypt directory so that Certbot can load it:

sudo mv acme-dns-auth.py /etc/letsencrypt/

Step 4: Request a certificate using certbot and acme-dns-auth

Now that we have all in place, we can request the new certificate using certbot and acme-dns-auth using a DNS challenge.

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d your-domain.com

After running the above command, you will get something like this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.your-domain.com
Hook '--manual-auth-hook' for your-domain.com ran with output:
 Please add the following CNAME record to your main DNS zone:
 _acme-challenge.your-domain.com CNAME 48a2f6b4-3541-4053-cghf-8392805d8748.auth.acme-dns.io.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

You will now need to go to your DNS provider and create the DNS record described above:

_acme-challenge.your-domain.com CNAME 48a2f6b4-3541-4053-cghf-8392805d8748.auth.acme-dns.io.

Once the record is in place, click Enter and wait for the certificate to be provisioned and downloaded.

Step 5: Export the new certificate to a "Plex friendly" format

The below code for openssl will take the cert data, the private key and the certificate chain and export it in pkcs12 format:

sudo openssl pkcs12 -export -out ~/plex_certificate.pfx \
    -inkey /etc/letsencrypt/live/your-domain.com/privkey.pem \
    -in /etc/letsencrypt/live/your-domain.com/cert.pem \
    -certfile /etc/letsencrypt/live/your-domain.com/chain.pem

This will ask you for your sudo password and an export passkey.
Make sure you choose a key that you're comfortable having stored in plain text in your Plex server.

All that is left to do is to move the new cert to its final destination.

sudo mv ~/plex_certificate.pfx /var/lib/plexmediaserver/certs

Note: you can change the path where the certificate will be stored, just make sure you take note of it.

Step 6: Configure Plex to use the new certificate to serve secure requests

Navigate to your Plex > Settings > Network and edit with the details of your certificate: