There are times when you lose access to a WordPress admin account and stuck outside without having access to it. What do you do at that time? You create a WordPress backdoor. A backdoor which can give you access whenever you are stuck in that situation.
If you create websites for other people, you might find this trick handy. If they create this kind of situation, you can recover within minutes and create your impact.
[bctt tweet=”While this might sound like an unfair means of using the #code to enter the #site when you don’t have #access to it, there are certain instances when you need to regain control of your #website when it has been stolen.”]
Sometimes, you can create a new WordPress admin user account via FTP. In other cases, if previous is not possible, you might want to hack into a WordPress website (No, we do not promote illegal hacking) or create a backdoor entry for WordPress site.
It also happens where a customer has no idea how to log in, and no longer has any contact with the previous developer so they do not know how to get in. Trying to get the login information from an old developer can sometimes be tricky and take a while if they even respond.
This trick can help you get access to a WordPress installation even if you only have the FTP login information or if you have been hacked and all your admin accounts have been deleted or modified. Have you been hacked? Check out this article how to recover your SEO work after a hack.
Table of Contents
Create a Backdoor Entry For WordPress Site
URL’s has a unique characteristic with them called – Query Parameters.
When you type your URLs, sometimes, you enter extra text prefixed with ‘?’ like http://example.com/?yourQueryParameter.
This text is called query parameters and allows you to take a specific action on that page. So a single page can serve multiple functions like submitting a form. You can show a form at the start, and after submission, you can show a thanks message on the same form.
We are going to use the same concept and create a query parameter called “entryhook.” So when we use that, it will create a user account and set the authority to Administrator.
Warning: You might be tempted to edit the WordPress core files to do this, but don’t – It is never a good idea to modify any WordPress core files except wp-config.php
To Create a WordPress Backdoor:
Open the functions.php file located in your current theme’s folder. This is where we will place the code.
P.s. The recommended method is to put this in your child theme’s functions.php file – This will prevent it from being overwritten when there are theme updates.
Copy the following code and paste it at the end of the file:
Updated with Aathil comment about missing a curly bracket, thank you 🙂
Save the changes and leave the file as it is until you need to use it.
If you choose to leave the code as it is, all you need to do is create a new admin on the site. You can do this by visiting https://yoursite.com/?entryhook=knockknock.
Once the page has loaded, type in your new username in “name” and the password in the field “pass.”
You can, of course, make this change in the code itself by changing the ‘name’ and ‘pass’ to anything of your choice. You can also change the link to your back door by changing ‘knockknock’ or/and ‘entryhook’ to anything you want.
It is recommended you be creative and also that you write this information down in a secure location where you can easily find it again. Use random numbers and letters to make sure nobody just guesses the entry hook.
Head over to your site and try the function. It’s fun, completely safe, and can help you in the future if you ever need to have a backdoor entry to your website.
Please note – it is an easy way to regain access to your website, but leaving this open can also be a security concern if your source code is available to other developers. If you need to use this trick, you should use different paramaters/values rather than the default “knockknock” and “entryhook” we have used in this example.
In most cases, once you have used this piece of code you should remove it again. It is only meant as a quick method to help you if you are running low on options.