WordPress Files

“Backdoor User” or How to become admin without an account

Blog WordPress Files “Backdoor User” or How to become admin without an account

SecuPress Backdoor User

SecuPress Backdoor User is a PHP script (not a WordPress plugin) that may be useful when you have lost access to your dashbord but still have access to FTP.

Edit 21 july 2012 : v2.0

Edit 09 december 2016 : v3.0

Edit 08 august 2017 : v3.1

You can download it for free on github: https://github.com/BoiteAWeb/SecuPress-Backdoor-User/

I sometimes need it when a client gives me FTP access but no access to the dashboard. Rather than send him a new mail and wait for an answer, I create myself my admin account.

I used a script from Kévin (@darklg) here: Récupérer un compte utilisateur sur WordPress (fr) then modified in 2016 by Fanchy for a better design.

How to use it, it’s simple:

  • Rename the file,
  • Upload it on your website, a sub-folder is advised, the script will find WordPress,
  • Then 5 choices:
    1. Create a user
    2. Log in as a user (even without the password)
    3. Delete a user
    4. Edit the role or pass of a user
    5. Deactivate plugins and delete mu-plugins
  • The file will delete itself for the first 2 actions, for the others, you will have to (1 click)
  • By the way if you encounter the message “Please rename the file before use!”, read the first point again!

Is this script secure enough?

  • First security point, it is not possible to load the file without renaming it, the goal is to prevent search engines to find this file on any site,
  • Second security point, you can hide this script into any sub-folders like /kqsdjhqks/erpoikdv/cvjhbqjdv.php, no problem, I recommend you to do it!
  • Third security point, the file will autodelete itself (for the first two actions).

Why not a fourth security point with a password in the code like “?access_pass=mypass“?

So you don’t have to modify the source code and so you can compare their MD5 hashes value. You can add it yourself (but don’t try to pull request that, I’ll refuse).

In any case, if you use this file, it’s a one shot usage, never upload it for a future usage like “A day, I’ll use it …”!

There is a lot of PHP scripts that are not plugins and can be used like this one, but once in your site, the file name is the default one. It’s dangerous to use that kind of script in a long term.

I wish you a good usage!