wordpress-backdoor

How to Create a Backdoor Entry on a WordPress website

4 minutes of reading

There are times when you lose access to a WordPress admin account and stuck outside without having access to it. What do you do at that time? You create a WordPress backdoor. A backdoor which can give you access whenever you are stuck in that situation.

If you create websites for other people, you might find this trick handy. If they create this kind of situation, you can recover within minutes and create your impact.

[bctt tweet=”While this might sound like an unfair means of using the #code to enter the #site when you don’t have #access to it, there are certain instances when you need to regain control of your #website when it has been stolen.”]

Prevention is always better, so remember to check out How to log in to Your WordPress Site Safely – our tips for keeping your WordPress website a little safer by using secure methods to log in.

Sometimes, you can create a new WordPress admin user account via FTP. In other cases, if previous is not possible, you might want to hack into a WordPress website (No, we do not promote illegal hacking) or create a backdoor entry for WordPress site.

Web security - creating a backdoor to reclaim access

It also happens where a customer has no idea how to log in, and no longer has any contact with the previous developer so they do not know how to get in. Trying to get the login information from an old developer can sometimes be tricky and take a while if they even respond.

This trick can help you get access to a WordPress installation even if you only have the FTP login information or if you have been hacked and all your admin accounts have been deleted or modified. Have you been hacked? Check out this article how to recover your SEO work after a hack.

Create a Backdoor Entry For WordPress Site

URL’s has a unique characteristic with them called – Query Parameters.

Don’t like messing with code but still need to log in to WordPress without the usual username and password? Create a new administrator account with the WP Emergency Recovery Script. You’ll be done in minutes without touching any code.

When you type your URLs, sometimes, you enter extra text prefixed with ‘?’ like http://example.com/?yourQueryParameter.

This text is called query parameters and allows you to take a specific action on that page. So a single page can serve multiple functions like submitting a form. You can show a form at the start, and after submission, you can show a thanks message on the same form.

We are going to use the same concept and create a query parameter called “entryhook.” So when we use that, it will create a user account and set the authority to Administrator.

Warning: You might be tempted to edit the WordPress core files to do this, but don’t – It is never a good idea to modify any WordPress core files except wp-config.php 

 

To Create a WordPress Backdoor:

Step1:

Open the functions.php file located in your current theme’s folder. This is where we will place the code.

P.s. The recommended method is to put this in your child theme’s functions.php file – This will prevent it from being overwritten when there are theme updates.

Step2:

Copy the following code and paste it at the end of the file:

Updated with Aathil comment about missing a curly bracket, thank you 🙂

Step3:

Save the changes and leave the file as it is until you need to use it.

If you choose to leave the code as it is, all you need to do is create a new admin on the site. You can do this by visiting https://yoursite.com/?entryhook=knockknock.

 

Once the page has loaded, type in your new username in “name” and the password in the field “pass.”

You can, of course, make this change in the code itself by changing the ‘name’ and ‘pass’ to anything of your choice. You can also change the link to your back door by changing ‘knockknock’ or/and ‘entryhook’ to anything you want.

It is recommended you be creative and also that you write this information down in a secure location where you can easily find it again. Use random numbers and letters to make sure nobody just guesses the entry hook.

Head over to your site and try the function. It’s fun, completely safe, and can help you in the future if you ever need to have a backdoor entry to your website.

Please note – it is an easy way to regain access to your website, but leaving this open can also be a security concern if your source code is available to other developers. If you need to use this trick, you should use different paramaters/values rather than the default “knockknock” and “entryhook” we have used in this example.

In most cases, once you have used this piece of code you should remove it again. It is only meant as a quick method to help you if you are running low on options.

Hopefully, you never need to use this trick. Keeping your WordPress password safe, to begin with, is even better. Check out our password management tips.

The backdoor is also a great way to upgrade your WordPress and blogging skills.

 

Related articles

Newsletter

WordPress and internet security

We promise not to spam!

Pricing
Pricing

WordPress Security Newsletter - Protect your website with our articles and tips!

We won't spam you. Unsubscribe any time.

Wait! Before you go!

Get 10% discount for any WP Security Ninja plan!

 

Subscribe to our newsletter for new releases, discounts and general WordPress Security news. Sprinkled with other interesting stuff :-)

10% OFF

Subscribe to our newsletter

* We do not spam or share your email

Discount on any Security Ninja plan

and get

Hi and welcome back :-)