How to Hack Into a WordPress Site Through SFTP

In this article, we'll learn how to create a new admin account for WordPress by adding a small snippet of code to the functions.php file. This article is intended to help website owners gain access to their own websites and is not intended for malicious use.

Before we dive into the specific steps on how to hack into a WordPress site, we must start with a big disclaimer.

THIS CODE IS NOT INTENDED FOR MALICIOUS USE.

Why Hack Into a WordPress Site?

Okay, so let’s ask the obvious question. If this code is not intended to hack into someone’s site, why do I need this? The most common scenario where this code gets used is when one of my clients drops their web agency, and all they have is maybe the hosting logins or a zip backup of the WordPress site. In this case, they need to gain access to the backend of their website but their old agency never created an account for them.

This scenario happens far too often and is something that can be easily remedied!

How Does The Hack Work?

Essentially, we’re just writing a small command that creates a new admin account in the database. Once the code is pushed to the server, this account is then created. It’s as simple as that!

Step 1) Access SFTP To The WordPress Site

The first step to use a FTP/SFTP client like Cyberduck or FileZilla. Due to past security vulnerabilities, I tend to stay away from FileZilla and lean towards Cyberduck. You can find your SFTP credentials on your web host.

Once you have accessed your theme files, navigate to your WP Content folder and find your active theme. In that theme folder, you should download your functions.php file.

Pro Tip: Before making any edits, I highly recommend duplicating your functions.php file, especially if this is your first time editing that file. That way if your website breaks, you can always replace that file with the backup you just made.

Once you’ve downloaded your theme’s functions.php file, we can move onto the next step where we will add the code that will let us hack into your WordPress site.

 

Step 2) Add The Hacking Code

Disclaimer: To be honest, this isn’t real hacking. That’s just clickbait keywords I’m using to help webmasters find this article easier. In reality, this is simple web development and a valuable tool to helping yourself and your clients gain access to their own property. Now on with the show!

At the bottom of your functions.php file, add this script:

function wpb_admin_account(){
$user = 'ADD USERNAME HERE';
$pass = 'ADD PASSWORD HERE';
$email = 'ADD EMAIL ADDRESS HERE';
if ( !username_exists( $user ) && !email_exists( $email ) ) {
$user_id = wp_create_user( $user, $pass, $email );
$user = new WP_User( $user_id );
$user->set_role( 'administrator' );
} }
add_action('init','wpb_admin_account');

On lines 2-4, you will see fields to enter your username, password, and email. Replace my sample text with your own credentials here. Otherwise the lack of email address will make the script not work.

Once that’s been added to the file, save the file and then uploaded it back to your SFTP client. It will ask you if you would like to overwrite the current file. Select yes.

Step 3) Remove The Code From the Functions.php File

The last step seems a bit strange, but indeed you must remove the code from the functions.php file. While not completely necessary, leaving the code there can cause some issues in the future.

For example, if someone else starts editing that file, they will see your login credentials. Seems like a security vulnerability, doesn’t it?

Another reason you may want to remove the code is because if you ever try to change your password, the script may cause a conflict and keep your password the same.

In any case, it’s poor form to leave this code in your functions.php file and it’s best to remove it as soon as you gain access to the backend of your WordPress site.