How to hack into a WordPress website, the complete guide

We don’t condone, approve nor encourage any illegal or malicious behavior! The purpose of this article is to explain how to hack or regain access to a WordPress site that belongs to you, or that you have rights to edit, admin and access. Whatever you do, you’re doing it on your own. We’re not responsible for your actions. This guide serves only for educational purposes.

Described methods will help you regain access to the site even if you no longer have an account, but will require some info about the site and they won’t help you hack into any random WordPress installation.

Situations you can help yourself in

If you’re in one of the following situations, our methods will help you regain access:

  • you forgot the username or email address
  • reset password option does not work on the server
  • reset password emails are not coming through
  • you no longer have access to the account’s email address
  • you know the username & password, but the combination just does not work

To use the methods described below, you’ll need only one of the following:

  • FTP access to the server, or
  • cPanel access to the server, or
  • access to the MySQL database and the ability to connect to it remotely

Method #1 – the MySQL way

Use this method to change the password (or username if needed) of an existing user or to create a new account. You’ll need cPanel access or direct MySQL access to the site’s database. Let’s get started by changing the password of an existing user.

If you’re using cPanel, login (cPanel can always be accessed via the https://yoursite.com:2083 link), locate and open phpMyAdmin. The list of databases and tables is on the left. You’re looking for the table that ends in _users. It’ll probably be wp_users, but if you have more than one WordPress site installed on the server, you have to find the right one. The right table will have the user you want to edit in it. Follow the same procedure if you’re connecting to MySQL via some external client like SQLyog. Once you locate the table and the actual user record, it’s time to change the password.

As you’ve probably figured out by now, the password is saved in the user_pass field, hashed using the MD5 algorithm. Open the online MD5 generator enter the password you want to use and click “Hash”. Copy the generated string and replace the original password with it. In phpMyAdmin, you can edit the field by double-clicking on it. The procedure is similar in other MySQL clients. Save changes and login to WordPress with your new password.

WP users table

Usernames, hashed passwords and emails are stored in the wp_users database table

Still on method #1 – creating a new user

Creating a new user is a bit more complicated but still manageable in less than a minute. Create a new record in users table and populate: user_login, user_pass (hashed, using the MD5 function described above) and user_email. All other fields can remain empty; they don’t matter. Save the new record. Once saved, MySQL will give it a unique ID. It’s the number in the ID field. Remember it. Now go to _usermeta table. Remember, the table’s prefix has to be the same as the users’ one. For instance wp_users and wp_usersmeta. If the prefix is not the same, you’re editing the wrong table (of some other WP installation) and the new account won’t work. We’ll create two new records. Ignore the umeta_id field for both of them. Set user_id field to the value you just remembered (the new ID value in users table). For the first record set meta_key to wpct_user_level and meta_value to 10. For the second one meta_key to wpct_capabilities and meta_value to a:1:{s:13:"administrator";b:1;}. Save both. You’re done – login!

Method #2 – the functions.php way

This approach can be utilized either by editing functions.php through cPanel or by using an FTP client to do so. If using cPanel find File Manager and open it. First, we have to find the active theme’s folder.

Go to public_html/wp_content/themes folder. If you immediately see your theme and know which one it is – great. Open its folder and start editing functions.php. If not, open the site, right click anywhere, select “View source”. Then press Ctrl + F and start typing /themes/ soon you’ll have a lot of URLs highlighted, and you’ll recognize the folder name of the active theme. Find it in the file structure, open, and start editing functions.php. Copy/paste the following code on the end of the file. Mind the closing ?> PHP tags if you have them. They have to be on the last line. So insert the code before them.

$new_user_email = 'myemail@domain.com';
$new_user_password = '12345';

if(!username_exists($new_user_email)) {
  $user_id = wp_create_user($new_user_email, $new_user_password, $new_user_email);

  wp_update_user(array('ID' => $user_id, 'nickname' => $new_user_email));

  $user = new WP_User($user_id);
  $user->set_role('administrator');
}

Edit, only the first two lines of the code, to reflect your new account. If there’s already a user in WP with that email a new account won’t be created, so make sure it’s new. Change the password as well – don’t get hacked by script kiddies. After saving the file simply open your site, the code will be run, a new account with administrator privileges created and you’ll be able to login with it. After you do so, remember to delete the code from functions.php.

Other hacking methods

By knowing the FTP, cPanel or MySQL password you’re proving that you have legitimate access right to the server and therefore should have access to the WordPress installation(s) as well. If you don’t have any of those accounts, then you’re up to no good (hacking into other people sites), and that’s not nice! Please remember that gaining unauthorized access to any computers, sites or servers is a serious crime and is promptly dealt with in most countries.

If you are scared that your WordPress site can be hacked, please check this page with free WordPress security scanner.

START YOUR OWN BLOG

This guide is an introduction to mastering the art of blogging. It provides easy to follow steps to start, maintain, and grow your blog.

Read the guide

11 thoughts on “How to hack into a WordPress website, the complete guide

  1. Hi there! Quick question that’s completely off topic.

    Do you know how to make your site mobile friendly? My weblog
    looks weird when browsing from my iphone.
    I’m trying to find a theme or plugin that might be able to fix this problem.
    If you have any recommendations, please share.
    Many thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *