How to Create a Backdoor Entry on a WordPress website

There are times when you lose access to a WordPress admin account and stuck outside without having access to it. What do you do at that time? You create a WordPress backdoor. A backdoor which can give you access whenever you are stuck in that situation.

If you create websites for other people, you might find this trick handy. If they create this kind of situation, you can recover within minutes and create your impact.

While this might sound like an unfair means of using the #code to enter the #site when you don’t have #access to it, there are certain instances when you need to regain control of your #website when it has been stolen. Click To Tweet
Prevention is always better, so remember to check out How to log in to Your WordPress Site Safely – our tips for keeping your WordPress website a little safer by using secure methods to log in.

Sometimes, you can create a new WordPress admin user account via FTP. In other cases, if previous is not possible, you might want to hack into a WordPress website (No, we do not promote illegal hacking) or create a backdoor entry for WordPress site.


Web security - creating a backdoor to reclaim access

Create a Backdoor Entry For WordPress Site

URL’s has a unique characteristic with them called – Query Parameters.

When you type your URL’s, sometimes, you enter extra text prefixed with ‘?’ like http://example.com/?yourQueryParameter.

This text is called query parameters and allows you to take a specific action on that page. So a single page can serve multiple functions like submitting a form. You can show a form at the start, and after submission, you can show a thanks message on the same form.

We are going to use the same concept and create a query parameter called “entryhook.” So when we use that, it will create a user account and set the authority to Administrator.

Warning: You might be tempted to edit the WordPress core files to do this, but don’t – It is never a good idea to modify any WordPress core files except wp-config.php 


To Create a WordPress Backdoor:


Open the functions.php file located in your current theme’s folder. This is where we will place the code.


Copy the following code and paste it at the end of the file:

Updated with Aathil comment about missing a curly bracket, thank you 🙂


Save the changes and leave the file as it is until you need to use it.

If you choose to leave the code as it is, all you need to do is create a new admin on the site. You can do this by visiting https://yoursite.com/?entryhook=knockknock.


Once the page has loaded, type in your new username in “name” and the password in the field “pass.”

You can, of course, make this change in the code itself by changing the ‘name’ and ‘pass’ to anything of your choice. You can also change the link to your back door by changing ‘knockknock’ or/and ‘entryhook’ to anything you want.

It is recommended you be creative and also that you write this information down in a secure location where you can easily find it again. Use random numbers and letters to make sure nobody just guesses the entry hook.

Head over to your site and try the function. It’s fun, completely safe, and can help you in the future if you ever need to have a backdoor entry to your website.

Please note – it is an easy way to regain access to your website, but leaving this open can also be a security concern if your source code is available to other developers. If you need to use this trick, you should use different paramaters/values rather than the default “knockknock” and “entryhook” we have used in this example.

In most cases, once you have used this piece of code you should remove it again.

Hopefully, you never need to use this trick. Keeping your WordPress password safe, to begin with, is even better. Check out our password management tips.

The backdoor is also a great way to upgrade your WordPress and blogging skills.


Join our email list

Interesting articles about

WordPress and internet security

12 thoughts on “How to Create a Backdoor Entry on a WordPress website”

  1. It has failed to login when I add the add code to functions.php.

    WordPress: Version 5.3.2
    Unknown username. Check again or try your email address.

  2. Gary Simmons

    If my old web person created a back door like this and is now trying to extort me for money, how can I get rid of these backdoors?

    1. Hello Gary

      Unfortunately this will require some manual work – there are many places code like this could be hiding. You can use a malware scanner such as Security Ninja or other plugin to identify which files have been manipulated. This only helps with the publicly known files, but it can save you some time knowing where to look.

      It is hard to give more detailed answer.

  3. I think I have done something wrong. I have implemented the code in my theme functions.php file, but I don’t know how to get the login page to add a new user. Perhaps I am typing in the wrong URL to access that page? Can you please describe that portion more?

    ABove it says to go to, “https://yoursite.com/” but that is just the home page. We wouldn’t want everyone who goes to the home page to be able to do that. I’m sure I am missing a step here.

    1. Lars Koudal

      Hello Josh

      I have updated the article with better details – You need to go to yoursite.com/?entryhook=knockknock to trigger this – that was not clearly explained.

      Also, I would suggest removing the backdoor once you are done with it or at the very least change the default values to something else. I have also updated the article to say this.

  4. Thanks for this. But I got error when applied it. The error page is : There has been a critical error on your website. Learn more about debugging in WordPress.

    I’ve tried twice using the default value you wrote here and using my own values. Is it happen because I’m using hidden login page plugin? I’ve changed my default mywebsite.com/wp-login.php to a custom link.

    And one thing is, on functions.php at the beginning of code “<?php", its marked as : syntax error unexpected '<'.

Leave a Reply to rick Cancel Reply

Your email address will not be published. Required fields are marked *

Safe, Simple & Secure

WordPress Security made easy

Powerful, yet easy to use

Keep your website safe & prevent downtime due to security issues.

custom logoWP Security NinjaWP Security Ninja
5 Stars - Based on 78 User Reviews

We handle your WordPress security

We are PayPal verified.

20% OFF

Subscribe to our newsletter

* We do not spam or share your email

Discount on any Security Ninja plan

and get

Hi and welcome back :-)