How to Create a Backdoor Entry on a WordPress website

There are times when you lose access to a WordPress admin account and stuck outside without having access to it. What do you do at that time? You create a WordPress backdoor. A backdoor which can give you access whenever you are stuck in that situation.

If you create websites for other people, you might find this trick handy. If they create this kind of situation, you can recover within minutes and create your impact.

[bctt tweet=”While this might sound like an unfair means of using the #code to enter the #site when you don’t have #access to it, there are certain instances when you need to regain control of your #website when it has been stolen.”]

Prevention is always better, so remember to check out How to log in to Your WordPress Site Safely – our tips for keeping your WordPress website a little safer by using secure methods to log in.

Sometimes, you can create a new WordPress admin user account via FTP. In other cases, if previous is not possible, you might want to hack into a WordPress website (No, we do not promote illegal hacking) or create a backdoor entry for WordPress site.

Web security - creating a backdoor to reclaim access

It also happens where a customer has no idea how to log in, and no longer has any contact with the previous developer so they do not know how to get in. Trying to get the login information from an old developer can sometimes be tricky and take a while if they even respond.

This trick can help you get access to a WordPress installation even if you only have the FTP login information or if you have been hacked and all your admin accounts have been deleted or modified. Have you been hacked? Check out this article how to recover your SEO work after a hack.

Create a Backdoor Entry For WordPress Site

URL’s has a unique characteristic with them called – Query Parameters.

Don’t like messing with code but still need to log in to WordPress without the usual username and password? Create a new administrator account with the WP Emergency Recovery Script. You’ll be done in minutes without touching any code.

When you type your URLs, sometimes, you enter extra text prefixed with ‘?’ like http://example.com/?yourQueryParameter.

This text is called query parameters and allows you to take a specific action on that page. So a single page can serve multiple functions like submitting a form. You can show a form at the start, and after submission, you can show a thanks message on the same form.

We are going to use the same concept and create a query parameter called “entryhook.” So when we use that, it will create a user account and set the authority to Administrator.

Warning: You might be tempted to edit the WordPress core files to do this, but don’t – It is never a good idea to modify any WordPress core files except wp-config.php 


To Create a WordPress Backdoor:


Open the functions.php file located in your current theme’s folder. This is where we will place the code.

P.s. The recommended method is to put this in your child theme’s functions.php file – This will prevent it from being overwritten when there are theme updates.


Copy the following code and paste it at the end of the file:

Updated with Aathil comment about missing a curly bracket, thank you 🙂


Save the changes and leave the file as it is until you need to use it.

If you choose to leave the code as it is, all you need to do is create a new admin on the site. You can do this by visiting https://yoursite.com/?entryhook=knockknock.


Once the page has loaded, type in your new username in “name” and the password in the field “pass.”

You can, of course, make this change in the code itself by changing the ‘name’ and ‘pass’ to anything of your choice. You can also change the link to your back door by changing ‘knockknock’ or/and ‘entryhook’ to anything you want.

It is recommended you be creative and also that you write this information down in a secure location where you can easily find it again. Use random numbers and letters to make sure nobody just guesses the entry hook.

Head over to your site and try the function. It’s fun, completely safe, and can help you in the future if you ever need to have a backdoor entry to your website.

Please note – it is an easy way to regain access to your website, but leaving this open can also be a security concern if your source code is available to other developers. If you need to use this trick, you should use different paramaters/values rather than the default “knockknock” and “entryhook” we have used in this example.

In most cases, once you have used this piece of code you should remove it again. It is only meant as a quick method to help you if you are running low on options.

Hopefully, you never need to use this trick. Keeping your WordPress password safe, to begin with, is even better. Check out our password management tips.

The backdoor is also a great way to upgrade your WordPress and blogging skills.

Critical vulnerabilities and exploits related to WordPress plugins and attacks

Some critical vulnerabilities and exploits related to WordPress plugins and attacks involve potential backdoors that can be exploited by hackers, vulnerabilities within the plugins themselves, instances of Google blacklisting due to malicious content, WordPress malware redirects, and other forms of cyber attacks that can significantly impact website security and performance.

Addressing these issues may involve regular scans to detect malware, implementing solutions to eliminate backdoors and vulnerabilities, resolving instances of Google blacklisting, and enhancing overall website security against various web attacks.

How can I remove the Favicon .ico Virus Backdoor in WordPress?

To remove the Favicon .ico Virus Backdoor in WordPress, you will need to take several steps to secure your website. First, you should regularly monitor your site for any signs of spam or unauthorized content. It is important to scan your site for any suspicious favicon.ico files that may have been injected by hackers. Additionally, ensure that you have strong security measures in place, such as using reputable security plugins and keeping your WordPress installation up to date. If you suspect that your site has been compromised, take immediate action to remove any malicious files and conduct a thorough security audit to prevent future attacks.

What is Indoxploit Hack and how can it affect WordPress websites?

Indoxploit Hack poses a significant threat to WordPress websites worldwide. It is a form of malware created to exploit vulnerabilities within these websites. Typically, Indoxploit infiltrates websites through obsolete themes and plugins, weak or commonly used passwords, and substandard web hosting services.

This type of hack is not executed by sophisticated hackers but rather by automated bots programmed to detect and exploit known weaknesses in WordPress sites. Indoxploit often embeds itself as a PHP-based backdoor, giving unauthorized users access to sensitive data and control over the compromised website.

The consequences of an Indoxploit attack on a WordPress website can be severe. It could lead to defacement of the site, unauthorized access to confidential information, such as user data or payment details, and even complete loss of control over the website. Therefore, it is crucial for website owners to regularly update themes and plugins, use strong and unique passwords, and opt for secure web hosting to mitigate the risk of falling victim to Indoxploit Hack.

Read more about the author .

Save 40%

On monthly and annual plans

Lifetime Deals

Only during BF sales!




We won't spam you. Unsubscribe any time.

Wait! Before you go!

Get 10% discount for any WP Security Ninja plan!


Subscribe to our newsletter for new releases, discounts and general WordPress Security news. Sprinkled with other interesting stuff :-)

WordPress Turns 20: Save 20% Now!



Code valid till June 26th 2023

10% OFF

Subscribe to our newsletter

* We do not spam or share your email

Discount on any Security Ninja plan

and get

Hi and welcome back :-)