How to Safely Reset Your MariaDB Password in Docker Without Losing WordPress Content

So you’ve lost (or never knew) your MariaDB root password — and your WordPress site is running inside Docker Compose. Don’t panic. Your data is safe, and this guide will walk you through a clean, step-by-step recovery that works whether you’re a beginner spinning up your first blog or a seasoned developer managing multiple sites.

The good news: your WordPress database is completely untouched by this process. We’re only resetting the root password, not your data.

Before You Start

Check your docker-compose.yml to find your MariaDB volume name. It usually looks like this:

services:
  mariadb:
    image: mariadb:latest
    volumes:
      - mariadb_data:/var/lib/mysql
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "1"

volumes:
  mariadb_data:

services:
  mariadb:
    image: mariadb:latest
    volumes:
      - mariadb_data:/var/lib/mysql
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "1"

volumes:
  mariadb_data:

The volume name here is mariadb_data. Note it down — you’ll need it shortly.

Step 1 — Stop Your Running Stack

First, bring everything down gracefully. This ensures no active database connections interfere:

docker compose down

docker compose down

Step 2 — Start a Temporary MariaDB Container (Safe Mode)

Spin up a new, temporary container pointing at your existing volume, with grant table checks disabled:

docker run --rm --name temp-mariadb \
  -v mariadb_data:/var/lib/mysql \
  mariadb:latest \
  --skip-grant-tables --skip-networking

docker run --rm --name temp-mariadb \
  -v mariadb_data:/var/lib/mysql \
  mariadb:latest \
  --skip-grant-tables --skip-networking

• --rm auto-removes the container when stopped — no cleanup needed.
• --skip-grant-tables lets you log in without a password.
• --skip-networking blocks all remote connections for safety.

Leave this terminal running. Open a new terminal for the next steps.

Step 3 — Open a Shell Inside the Container

docker exec -it temp-mariadb bash

docker exec -it temp-mariadb bash

Then connect to MariaDB as root (no password required):

mariadb -u root

mariadb -u root

You should see the MariaDB prompt: MariaDB [(none)]>

Step 4 — Inspect the Root User

Before changing anything, confirm the root user exists and check its current authentication settings:

USE mysql;
SELECT user, host, authentication_string, plugin FROM user WHERE user='root';
FLUSH PRIVILEGES;

USE mysql;
SELECT user, host, authentication_string, plugin FROM user WHERE user='root';
FLUSH PRIVILEGES;

You’ll see output like:

The authentication_string is a hashed password — it cannot be reversed to plaintext. This is expected and normal.

Step 5 — Reset the Root Password

Now reload the grant tables and set your new password:

ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourNewStrongPassword123!';
FLUSH PRIVILEGES;

ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourNewStrongPassword123!';
FLUSH PRIVILEGES;

💡 Choose a strong password: mix uppercase, lowercase, numbers, and symbols. At least 16 characters is recommended for a database root account.

Older MariaDB versions (pre-10.4): use this instead:

UPDATE user SET authentication_string=PASSWORD('YourNewStrongPassword123!')
WHERE user='root' AND host='localhost';
FLUSH PRIVILEGES;

UPDATE user SET authentication_string=PASSWORD('YourNewStrongPassword123!')
WHERE user='root' AND host='localhost';
FLUSH PRIVILEGES;

SQL

Step 6 — Confirm the Change

Re-query the user table to verify the hash has changed:

SELECT user, host, authentication_string, plugin FROM user WHERE user='root';

SELECT user, host, authentication_string, plugin FROM user WHERE user='root';

The authentication_string value should now be different from what you saw in Step 4. Then exit:

EXIT;

EXIT;

Exit the container shell too:

exit

exit

The temp container stops and is automatically removed.

Step 7 — Update Your docker-compose.yml

Update the MARIADB_ROOT_PASSWORD in your docker-compose.yml to match (for documentation and future use):

environment:
  MARIADB_ROOT_PASSWORD: "YourNewStrongPassword123!"

environment:
  MARIADB_ROOT_PASSWORD: "YourNewStrongPassword123!"

Then restart your stack:

docker compose up -d

docker compose up -d

Step 8 — Verify Everything Works

Test root login:

docker compose exec mariadb mariadb -u root -pYourNewStrongPassword123!

docker compose exec mariadb mariadb -u root -pYourNewStrongPassword123!

Test that WordPress still connects to its database (note: WordPress uses a separate DB user, not root):

docker compose exec mariadb mariadb -u wordpress -pwordpress_db_password wordpress

docker compose exec mariadb mariadb -u wordpress -pwordpress_db_password wordpress

Visit your WordPress site in the browser — it should load normally. WordPress was never affected.stackoverflow+1

Prevention: Don’t Get Locked Out Again

• Store passwords in a .env file (excluded from git via .gitignore) and reference them in docker-compose.yml with ${MARIADB_ROOT_PASSWORD}.
• Use Docker Secrets for production environments.
• Never use root for WordPress — use a dedicated DB user with limited privileges.
• Back up your volume before making any database changes:

docker run --rm -v mariadb_data:/data -v $(pwd):/backup alpine \ tar czf /backup/mariadb_backup.tar.gz /data

docker run --rm -v mariadb_data:/data -v $(pwd):/backup alpine \ tar czf /backup/mariadb_backup.tar.gz /data