Technical Notes Of
Ehi Kioya

Technical Notes Of Ehi Kioya

Home » WordPress » “Hacking” A WordPress Password

“Hacking” A WordPress Password

By 1 Comment

Well not exactly hacking. But let me explain…

Web hosting is a part of my business and as to be expected, most clients build their sites with WordPress. All of their content (files and databases) sit on my servers and even though I may not have (or want) an administrator account on their WordPress installations, I do have root access on both the file system and database levels.

Clients often forget their WordPress login information. When this happens, they get locked out of the admin area of their sites and need help getting back in. There are also scenarios where server administrators may need need to “force” their way into a client’s site even when the client has not requested this. Maybe because of legal reasons, or policy violations. Or depending on the type of management service being provided, server admins may need to login to perform updates, routine maintenance, etc.

In summary, scenarios where “hacking” a WordPress password may be necessary include:

  • You forgot the username and email address of your own site.
  • You know the username or email address but have forgotten the password. And for some reason, the out-of-the-box password reset option has failed to work – maybe because the password reset emails are not coming through. Or maybe you no longer have access to the original email address used.
  • Your client has lost the login details of a WordPress website that you host on their behalf.
  • For legal reasons or due to policy violations, you are required to force your way into a website hosted on your infrastructure.
  • Your site got hacked and the admin account got deleted (or the password got changed).

In any case, this article explains how a server administrator can either force reset a user’s WordPress password or create a new WordPress admin user with a brand new password. I will show how this can be done either from the backend MySQL database or using the functions.php file via FTP. In both cases, a WordPress account on the website in question is not required.

The methods we will be exploring here are:

  • “Hacking” a WordPress password on the database (by forcing a password reset)
  • Creating a new WordPress admin user via the database
  • “Hacking” (resetting) a WordPress password using the functions.php file
  • Creating a new WordPress admin user using the functions.php file

While none off the above methods is exactly password hacking (since we’re not using brute force techniques or anything like that), the end result effectively “hacks” our way into WordPress with the same administrative rights that was previously lost.

DISCLAIMER: The processes described here are completely legal. Even though the password hashing piece uses this tool I built, the tool uses the official WordPress function wp_hash_password() behind the scenes. I wrote this article with server admins and web masters in mind. It is meant to be purely informative and educational. If someone uses the instructions here for malicious reasons, I cannot be held responsible.

Let’s begin…

Method 1: “Hacking” (Resetting) A WordPress Password On The Database

Launch your database administration tool. This could be phpMyAdmin, HeidiSQL, MySQL Workbench, etc. We will be making a change on the wp_users table.

NOTE: The table name may be different depending on whether your installation uses a custom table prefix. This article assumes that wp_ is your table prefix. This is the default value. A quick look at your WordPress table names should help you identify your table prefix and the equivalent wp_users table in your case. You can also find the table prefix defined explicitly in the wp-config.php file (the variable of interest there is $table_prefix).

Once you open the wp_users table to view the data, you should be able to quickly identify the user record that needs to be changed. The field of interest (that holds the hashed password) is the user_pass field. This field will have a value that looks something like this: $P$BE.lIb0ypAKBR2OZCREKMwSrPiWW9g1

Launch the WordPress Password Hash Generator. Enter the new password you want for this user and click the “Hash this Phrase” button. Copy the generated string and replace the current user_pass value with it. You should be able to edit the value by just double clicking on it.

Save the changes and login to your WordPress admin area with your new password. Depending on how strong your chosen password was and if your website enforces strong passwords, you might be asked to choose a strong password right away after signing in.

Method 2: Creating A New WordPress Admin User Via The Database

Creating a new admin user is similar to the above process of resetting a user’s password. But it is a little more complicated. This time, we will modify both the wp_users table and the wp_usermeta table. Here’s what you need to do…

Create a new record in the wp_users table. Set these fields:

  • user_login – The username you want for accessing the WordPress admin area
  • user_pass – The hash code of your chosen password generated using the WordPress Password Hash Generator
  • user_email – The email you want to associate with this new account
  • user_registered – The date this user got registered

All the other fields can remain blank for now. They are not required fields. But you can edit them later from the WordPress dashboard if you like. Save the new user record.

Once saved, WordPress will automatically give the user an ID. This number will be saved in the ID field. Note this number.

Now open up the wp_usermeta table. We will create two new records in this table.

For both new records, set the user_id field to the auto-generated ID above.

For the first record set the meta_key field to wp_user_level and set the meta_value field to 10.

For the second record set the meta_key field to wp_capabilities and set the meta_value field to a:1:{s:13:”administrator”;s:1:”1″;}

NOTE: The wp_user_level and wp_capabilities values used above will again depend on the table prefix used in your installation. So, if for example, your table prefix is wp_yourdomain_, then the values should be wp_yourdomain_user_level and wp_yourdomain_capabilities respectively.

Save both records and login to your WordPress website with the new username and password you just created. Depending on how strong your chosen password was and if your website enforces strong passwords, you might be asked to choose a strong password right away after signing in.

Once you have logged in, edit your user from the WordPress dashboard. No need to change anything. Just scroll down and press the Save button. WordPress will internally add some extra information to the new user you just created. If you’re asked to supply any additional required information, just supply them (for example, you might be asked to supply a unique nickname).

Now that you have a new admin WordPress account, you may go ahead and delete the old admin account if you like. During the delete process, WordPress will allow you to attribute all the content created by the old user to the new user (or to any other existing user).

Method 3: “Hacking” A WordPress Password Using The Functions.php File

Open up the functions.php file of your active theme in a text editor. This file will generally be found here: public_html/wp_content/themes/your-active-theme/functions.php

Add this line of code to the file. You can just append it at the end of the existing content.

wp_set_password('yourdesiredpassword', 1);

It is best to choose a strong password. That way, if your website enforces strong passwords, you won’t be required to change it again after signing in.

In the above case, the password of the user with an ID of 1 will be reset.

Save the functions.php file and visit your site’s frontend. The user’s password will be reset.

IMPORTANT: Before even confirming that the password reset worked, first delete the above line of code from your functions.php file. If you don’t, the password will be reset on every page load and you may never manage to login with the new password you have set.

After deleting the password reset code, you can now login with the new password.

You can read more about the wp_set_password() function here.

Note that unlike the database password reset method above, to use this FTP password reset technique, you will need to know the user’s ID beforehand. But since you may not already know this (without guessing), I think the database password reset method (described in Method 1 above) is more powerful.

Method 4: Creating A New WordPress Admin User Using The Functions.php File

Open up the functions.php file of your active theme.

Add this code to the file.

function ehi_kioya_create_admin_account(){
	$username = 'yourdesiredusername';
	$password = 'yourdesiredpassword'; // Choose a strong password. That way, if your website enforces strong passwords, you won't be required to change it again after signing in.
	$email = 'youremail@yourdomain.com';
	
	// Only create user if chosen username and chosen email are not already in use
	if (!email_exists($email) && !username_exists($username))
	{
		$userid = wp_create_user($username, $password, $email);
		wp_update_user(array('ID' => $userid, 'nickname' => $email));
		$newuser = new WP_User($userid);
		$newuser->set_role('administrator');
	}
}
add_action('init','ehi_kioya_create_admin_account');

Don’t forget to enter your own username, password, and email values. If there’s already a user in WordPress with your chosen username or email, a new account won’t be created. So make sure to use unique values for the username and email.

Save the functions.php file and then simply visit your website frontend. The code will be executed and the new administrator user will be created. You can then login with the credentials of the new user.

Again, don’t forget to delete the code from the functions.php file.

Conclusion

Hopefully one of the methods discussed above will help you regain administrative access to your WordPress website. By having database and/or file system access, you prove that you have rights to the server and should therefore have rights to the websites hosted on it. If you are attempting to hack a WordPress website for which you have neither database nor file system access, then you are attempting to hack other people’s sites and are clearly up to no good. Gaining unauthorized access to other people’s websites like that is a crime and not something I teach or encourage.

If you found the methods discussed here helpful, or have a question or contribution, please share your thoughts using the comments section below.

Found this article valuable? Want to show your appreciation? Here are some options:

  1. Spread the word! Use these buttons to share this link on your favorite social media sites.
  2. Sign up to join my audience and receive email notifications when I publish new content.
  3. Contribute by adding a comment using the comments section below.
  4. Follow me on Twitter, LinkedIn, and Facebook.

About Ehi Kioya

I am a Toronto-based Software Engineer. I run this website as part hobby and part business.

To share your thoughts or get help with any of my posts, please drop a comment at the appropriate link.

You can contact me using the form on this page. I'm also on Twitter, LinkedIn, and Facebook.

Reader Interactions

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *