Podcast Episode

417 – Hacking Your Way into a WordPress Site

Announcements

Is there a plugin for that?

With more than 50,000 plugins in the WordPress repository, it’s hard to find the perfect one. Each week, I will highlight an interesting plugin form the repository.

For more great plugins, download my 50 Most Useful Plugins eBook.

Variation Swatches for WooCommerce provides a much nicer way to display variations of variable products. This plugin will help you select style for each attribute as color, image or label. With this plugin, you can present product colors, sizes, styles and many things in a better way which is not supported by WooCommerce.

Hacking Your Way into a WordPress Site

Via Database:

You’ll need to create three line items in your database. One in the wp_users table and two in the wp_usermeta table

For wp_users, click on the table, then on the insert tab across the top:

  • ID – pick a number (in our example, we will use the number 5
  • user_login – insert the username you want to use to access the WordPress Dashboard.
  • user_pass – add a password for this username. Make sure to select MD5 in the functions menu (Refer to the screenshot below).
  • user_nicename – put a nickname or something else that you would like to refer yourself as.
  • user_email – add the email you want to associate with this account.
  • user_url – this would be the url to your website.
  • user_registered – select the date/time for when this user is registered.
  • user_status – set this to 0.
  • display_name – put the name you like to display for this user on the site (it can be your user_nicename value as well).
  • Click on the Go Button

For wp_usermeta, click on the table, then on the insert tab across the top:

  • unmeta_id – leave this blank (it will be auto-generated)
  • user_id – this will be the id of the user you created in the previous step. Remember we picked 4.
  • meta_key – this should be wp_capabilities
  • meta_value – insert this: a:1:{s:13:”administrator”;s:1:”1″;}

Insert another row with the following information:

  • unmeta_id – leave this blank (it will be auto-generated)
  • user_id – this will be the id of the user you created in the previous step. Remember we picked 4.
  • meta_key – this should be wp_user_level
  • meta_value – 10

Or you can use the following in the SQL area and add all three records at the same time.


INSERT INTO `databasename`.`wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('4', 'demo', MD5('demo'), 'Your Name', 'test@yourdomain.com', 'http://www.test.com/', '2011-06-07 00:00:00', '', '0', 'Your Name');

INSERT INTO `databasename`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '4', 'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');

INSERT INTO `databasename`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '4', 'wp_user_level', '10');

Via FTP:
Add this code snippet to your functions.php file or code snippets plugin (after changing the username, password and email address of course).


function add_admin_acct(){
$login = ‘dustin’;
$passw = ‘myhardpass’;
$email = ‘dustin@mydomain.com';

if ( !username_exists( $login )  && !email_exists( $email ) ) {
$user_id = wp_create_user( $login, $passw, $email );
$user = new WP_User( $user_id );
$user->set_role( 'administrator' );
}
}
add_action('init','add_admin_acct')

Thank You!

Thank you to those who use my affiliate links. As you know I make a small commission when someone uses my link and I want to say thank you to the following people. For all my recommended resources, go to my Resources Page

Full Transcript

Business Transcription is provided by GMR Transcription.

On today’s episode we are going to talk about how to hack into a WordPress site. Right here on Your Website Engineer Podcast, Episode No. 417.

Hello and welcome to another episode of Your Website Engineer Podcast. My name is Dustin Hartzler and today I’m excited to bring you another episode. And this one is going to be one that you’re going to want to save into your toolbelt when you get that chance someday to log into a website. Maybe a client has started a project with you but they never gave you a WordPress login. You have all the other details, but you don’t have a WordPress login. Maybe you’ve locked yourself out of a site. Today, I’m going to share two different ways that we can hack into a WordPress site and get back in without having to bother the client or ask for a WordPress account to be created for us.

So, let’s go ahead and talk about the announcements first and then we’ll dive right in. The first announcement is that Jetpack 6.8 has been released into the wild as of November 27th. This is a wave of Jetpack that has blocks built specifically for the new WordPress editor, Gutenberg. It has some of the features that you’ve come to rely on and has been adapted for this new experience. The payments buttons, forms, maps, and markdown- all three of those things have been added into blocks and with those blocks you can create those different areas on your WordPress site.

So, if you wanted to create a way to get paid on your site, you could go and you could add the simple payment block. Or, if you want to create a new form on a page or a post, you could go ahead and add a new contact form. There’s also a cool new block that I’ve never seen before. I’ve never even used as a part of Jetpack before, but you can add a map directly to your site. So, you can add the map block and then you can add the address and it will automatically appear right on your site. And then you can change the colors of the little icon for the address. You can do the map theme. You can change the different map themes, and it’s pretty cool and it is really, really slick. And then the last feature is markdown. You can write a post or a page in markdown with a markdown block and it will automatically convert it to HTML, which is really cool.

And the last feature that has been added back in is to publicize. And you can now publicize right from the Gutenberg menu on the – on the right-hand side. So, you can go, and you can go to share this post and you can share automatically to your social network. So that’s Gutenberg – or I guess that’s Jetpack 6.8. You can update today and they are gonna – the team behind Jetpack will continue working on bringing us more and more blocks just to make it easier to add the content that we need to our WordPress site.

Speaking of Gutenberg and WordPress 5.0, as of – let’s see – November 23rd, so this was last week, WordPress 5.0 Release Candidate was released. And what this means, is that there’s gonna to be no more added features. It’s basically, the code is locked down except for bug fixes and security holes. There’s an article over on wordpress.org/news and you can see all about things that are happening with Gutenberg. It basically talks about some of the changes that have been added with the 2019 theme and all the kinds of changes that have been made since the Beta 5, that was released the week before.

Also, I want to note that the date was shifted from the 27th, so that was on Tuesday, November 27th. It has been shifted. It doesn’t say in the post when it’s going to be shifted to, but it’s just – they’re continuing to work through the process and continuing to make sure that the code is as best and as perfect as possible so we can release this to millions of WordPress sites.

A good note though, is that WordPress 5.0 Beta or Gutenberg itself, one of the two – either of those – either the Beta software of WordPress or the plug-in, has been downloaded and installed on more than one million active end sites, so it is getting a lot of publicity and there are a lot of people testing things and I fully believe that this is going to be a great release and it’s going to really revolutionize and change the way that we use our WordPress websites. So, that is WordPress 5.0 Release.

I also want to point out that if you are unable to come to WordCamp US, there now is a live stream ticket option and the event is only just a handful of days away – nine to ten – depending on when you’re hearing this – or even less. And if you can’t come and you plan on watching via live stream, it is the next best option than coming to Nashville. There is – it is free to sign up, but you will need to sign up for a ticket on the event website. And so, this will include the two different tracks, it will also include Matt Mullenweg’s State of the Word address, which is on Saturday, December 8th at 4 PM central and live stream holders can tune into any of the sessions and they can also participate in the conversation on Twitter using the WCUS hashtag. So that is all about WordCamp US.

And the last news that I want to say today and share with you is a post over on justnorris.com and it’s, “How to Dynamically Enable Gutenberg.” And so, whatever your stance is on Gutenberg, it’s coming to WordPress Core, it’s gonna be here soon, but there’s an easy way to disable the new WordPress editor dynamically with some filters. And so, you can disable by default. You can leave Gutenberg for a single post. You can enable Gutenberg only for new posts. You can enable Gutenberg based on post meta, so depending on what is in the meta data it can turn on Gutenberg. You can enable Gutenberg for a certain category or a tag. You can do by a post type and so each one of those sections has a snippet of code that you can add to a functions.php file or a code snippet plugin and it will automatically enable or deactivate Gutenberg based on the parameters that you’ve set up.

So, I have a link in the show notes for Episode No. 416. I just wanted to point it out just so that you have the opportunity and the knowledge of – “Hey I’m ready for Gutenberg. I’m ready for it on posts and pages but maybe not quite my custom post type yet,” and it will show you exactly what you can do to make sure your custom post types are not affected by Gutenberg at this time. So that is over at justnorris.com.

All right, today I have a plugin to share with you and this one is a – one I find is really nice and a more of a visual way to display your variations when it comes to products. And so, a variable product, inside of WooCommerce is one of the standard product types that WooCommerce offers. They have a simple product, which would be like, “Oh, buy this e-book,” or “buy this digital product,” or “buy this coffee mug.” Those are basically simple products.

And then, WooCommerce also has something that’s called a variable product. And a variable product is more like a t-shirt or a sweatshirt or some sort of clothes or you can have hundreds of different types of variations but for example a t-shirt would be, “Oh, I’m going to offer them a choice of color, a choice of size, and maybe a choice of some material.” Or, any types of variations like that and so, with the standard WooCommerce, what happens is you have these – each of the variations or each of the things that you can choose are in a drop-down box. So, if you have color, you’d have to say, “black, white, red, orange.” Or size, you’d have to write, “small, medium, large, etc.”

Well, with this plugin that I’m going to share with you today, it is called a Variation Swatches for WooCommerce, and it provides a much nicer way to display variations of variable products. It will help you select a style for each color or image or label. You can present product colors, sizes, and styles and many things in better ways that are not supported by WooCommerce. It adds more options to show products variations with swatches. It doesn’t touch the default on drop-down style of Woo Commerce. It’s a friendly and easy-to-use interface and there’s more than 40,000 active installs.

I was really surprised by this because I have never heard of this and I work with WooCommerce every day and help people set up their e-commerce stores. But it’s called Variations Swatches for WooCommerce it’s made by ThemeAlien and there’s a link in the Show Notes for Episode No. 417, where you can dive in and you can take a look and see if this is something that’s going to be perfect for your WooCommerce website.

All right, today I want to talk about how to get into a WordPress site and how to quote/unquote, “hack your way in.” And I’ve had to do this a lot – I wouldn’t say a lot, I guess. There have been a handful of times when I’ve gone back and forth with a client and trying to get all the credentials. This was back before I started at Automattic, so we’re talking like six years ago. But I ended up getting all the information for FTP or had to log into their cPanel and all this stuff and then they never gave me a WordPress login and it’s just like, “Oh, now I have to – I’m ready to start right now. I have quite a few details, but I just can’t get into the WordPress site to look around and see what kind of plugins they have or what plugins are outdated, or how their dashboard is all setup and what not.” And so, I discovered a way how to get in via Sequel, or how to get in via the cPanel and kind of navigate in and figure out how to login and create a new user account and I thought, “Oh wow! This is really cool.”

I’ve done this before and today when I was looking for show ideas, this was one that came up was how to create a new one – a new account if you only have FTP access. I thought, “Hey, that’s a little different. I’ve never seen that before.” And so today I want to share both ways: how to get in via the database, and how to get in if you only have FTP access. So, let’s go ahead and dive right in.

The first way is if you have access to the – your client’s or your own cPanel access. And cPanel looks different for all web hosts. Some of them are the actual cPanel and it’s the name of the software. Others have their own interface and their own way to get to your data. The big thing is you want to go in and you want to get to your database. Most likely this looks like phpMyAdmin; that is going to be the big section. You want to kind of navigate there, however your dashboard has it set up and once you are in phpMyAdmin, that’s going to show you your entire database. And think about your database kind of – I like to think of it as a – kind of a giant Excel spreadsheet and so on the left-hand side, you’ve got the different tables, and each table is like a spreadsheet inside of WordPress.

And so, there’s – I’ve talked about this in the past, but there are a lot of default tables like wp_comments and wp_commentmeta. We’ve got wp_options. We’ve got wp_posts, and wp_postmeta. We’ve got terms. We’ve got terms relationships. We’ve got user meta and we’ve got users. And so, we want to navigate into the wp_users and I want to also point out that wp_ is the default prefix for tables inside your WordPress database. Different hosts will automatically create a different prefix but they will all have the same title name after the underscore.

And so, let’s go ahead and we’re going to click on wp_users table and then there’s a tab across the top inside phpMyAdmin that’s called, “insert” and then we can go in and we can add our new users information and you can – you can just follow this information. And all of this is detailed out in the Show Notes so you can get it very easily and you don’t have to remember this as you’re driving or whatever you may be doing as you listen to this podcast. So, we’re going to insert this.

You’re going to have to pick an ID. If you pick a number, that’s fine. Otherwise, you leave it blank and it will automatically be generated for you and basically every user has their own user ID. So, it starts with user ID zero and then user ID one. You can pick a number. You can pick like 42 if you want to, to create this new user, or you leave it blank and it will automatically be added for you when you save this record. So, then you’ll – the next field, and these are just all fields inside of the table and so the first one was ID. The next one is user_login and this is the username you want to use to access your WordPress dashboard.

Then there’s user_pass, and this is add a password. Make sure that in the function – there’s a function drop-down box to the left of the password value and you want to select MD5. And, this means that basically you’re gonna to type in your password as password, or sample, or a really hard and complex password. It’s going to generate and it’s going to create a hash, it’s called. And so, that way when somebody comes in to your database and looks at it, they’re not going to see the actual password. They’re going to see this gibberish that is secure and so that people can’t just look into your database, find the password, and go on. So, you want to – you’ll create it, you’ll type it as a normal or whatever your password generator has created and then you’ll select MD5 as the function and then it will do that upon saving.

You can pick a nickname, so that’s user_nicename. So, you can put – pick a nickname or you can refer to yourself as whatever. You can leave it blank as well. The next one is user email address. So, you need to have the email address that you want to associate with the account. Also, note that this can only be – there can only be one email address per – an email address can only be used for one individual. So, if you already have an account and you’ve lost your password, it’s better to go in and change the password inside of the database, versus creating a brand-new account with the same email address.

You have – other options that you can add is user_url. So, that would be the URL to your website. This is an optional setting. You could leave it as blank. You can do user_registered. And so, that’s the date and time for when this user is registered. I believe as you open up this record – as you start inserting this, it will automatically fill this out for you. So, you don’t have to do anything there.

The user status – you want to set that to zero and the display name – and you can set this to the user name of the site. You can say, “Oh, I want it to say, Dustin Hartzler” or you can leave it blank as well. Again, it’s optional. The main thing is that you want to get into the site and then once you’re inside the site, then you can – you can go to the user section. You can fill out all this information. You can change the password. You can do everything. This is just kind of the general, “Hey, this is how I need to get into my WordPress site.”

So, that creates the user account, but you’re not done yet. And I’ve struggled with this before. You create the user name and you try to go login and then it says, “You do not have permissions to do this.” And it’s like, “What? I just created the user. What’s going on here?” Well, you have to add a couple values to the wp_usermeta table. And, so, this is basically giving it some meta values to make sure that the user has the correct permissions to do whatever they need to on the site. So, if you are a subscriber, you have different permissions and different access points than if you are a full out admin. And so, you need to create two more rows inside the wp_usermeta table.

The first one, is you create and kind of do the same thing. You go into – you go into the table and then click insert at the top. And then, there is a unmeta_id. This is something that will be automatically generated so you can leave it as blank. And then the user id. So, this will be the ID that you created in the previous step. If we created – earlier if we selected that we’re going to create a brand-new user name, then it’s four. Then we’ll put the user ID as four. If it automatically generates, then we have to see what it was generated. “Oh, okay, it was five?” Okay. Now we’re going to put five as the user ID. And then, the meta key. This should be wp_capabilities and then the meta value is this weird, kind of hex code – it’s not hex code, but it is a, “a:1:(” and then a bunch of gibberish.

This will be in the Show Notes and you can just copy and paste this because there’s no need to really understand what this is, but it is basically giving you the permission as an administrator so you can login and you can do everything inside your WordPress site.
The other – the other row that we need to add is for making sure the WordPress user level is set as correct. So, you will create another record. So, this will be the second record created in the wp_usermeta table. And, you’ll leave the user or unmeta ID blank. You will continue to pick five as the user ID because that’s what it was generated in previous steps. The meta key will be wp_user_level. And then the meta value is going to be set as 10 and you can create – you’ll then click the go button or the save button and you’ll create – have created yourself as a new admin.

So, you’ll be able to login to wp-admin with your username and password that you specified. Then you can go into the user section, edit the username that you just created, you can add some of those fields that you didn’t do before, or whatever. That will allow you to get into your WordPress site.

Now you can also do this via the database – via a Sequel query. And I’m not going to spell this whole thing out here, but basically what it is, is there’s some code and it’ll be in the Show Notes for Episode No. 417. But basically, you can copy these few lines of codes into a Sequel query into your database and it’ll do exactly the same thing. So, if you don’t want to navigate into phpMyAdmin and then go to the different tables, you can basically copy and paste this and you can change your user name and password and your email address and then just paste this in and you’ll be good to go. It’s really pretty slick and it’s really cool that you can kind of backdoor your way into WordPress and get into WordPress without having to bother somebody or try to figure out how to do this.

Now, if you want to change your password, if you’re locked out of your WordPress site, maybe you have iTheme security Pro or iTheme Security installed on your site and it’s locked you out for some reason, you can go into your database and you can go and you can find the row in the wp_users table, you can find – “Oh, here’s my user name.” You can go in there and you can generate a new password. You put the password in the user_pass field; you’ll set the function as MD5 so we can scramble it and make sure it’s encrypted inside the database and then type in your new database password. Or, type in your new WordPress password, hit go and save and that will generate a new password and it will allow you to get in.

Or, if you’ve somehow locked yourself out and maybe you have a typo in your email address and the password reset’s not working correctly, you can go into the data base and you can change your email address to make sure that that’s correct. So, those are different things that you can do, once you – if you have cPanel access and can get to phpMyAdmin and look inside the database, then you can do all of these things, which is really nice.

Now, the other way that I want to share with you today, is a way that you can create if you only have FTP access. Maybe they’ve given you FTP access, you don’t have cPanel so you can’t get in and just manually add this to your database, but you do have FTP access and you could go, and you could add a function inside the functions.php file or create your own or – create your own custom plugin and you could do this. But basically, there’s some code and I’m not going to talk through it here on a podcast, because it’s – it’s kind of cumbersome to talk through. But basically, it is – it basically sets – it sets three variables on this little function and it sets your login, your password, and your email address.

And you set these things, and you – you basically add this code and basically you just refresh. Once the code has been added via FTP, you can refresh your site and that account will automatically be created. It’s pretty cool, and the fact that it will automatically generate the passwords or the emails from WordPress as well – so, like the new user email address or the new user email that is sent out, those will be generated as well when you run this script or you add this code.

So, this is one that you have to be really careful with. You want to make sure that you actually have changed the login and it’s not admin and pass as your username and password. I mean, you can do that if you want to, to get in quickly and then you can go in and change the username and password, but this is one way if you only have FTP access, of how you can create a way to – create a brand-new username and then login to a WordPress site.

So that’s what I want to share with you today. And all of the code is in the Show Notes for Episode No. 417, so if you find your way or find yourself in a sticky situation sometime and you just need to be able to get into WordPress, and you’ve got access via the cPanel or some sort of FTP access, then this is – ether one of these methods are gonna work and it’s going to help you get into your WordPress site quickly.