Published Wednesday 13th September 2023
For a multitude of reasons, we don't often pick WordPress as a suitable platform when developing new websites, but we do often migrate existing WordPress websites to our servers for clients who are just looking for a new web host, and we also manage a couple of servers for other web design agencies who design websites using WordPress exclusively. As such, we do a lot of website administration work which requires quickly setting up WordPress admin users.
Sometimes the client doesn't know how to set us up with admin accounts, or they don't have access to the WordPress admin panel themselves. Some types of infections even lock the admin panel up completely, or change the existing logins so that it isn't possible to create new admin users through the panel anyway. In such cases, the easiest approach is to create new admin users directly, via the database.
Also, it's just generally quicker to fire off a couple of database queries than to go through the WordPress admin panel.
If you're here looking for the SQL to do this, here it is! You'll need access to the database either via a visual tool like PHPMyAdmin, accessible through Plesk and cPanel or as a standalone utility, or via the MySQL / MariaDB commandline utilities, or wrap this SQL up in a PHP script using the mysqli commands if you only have FTP access to the website.
First off, you need to know the table prefix WordPress is using. You'll find this as a $table_prefix variable in wp-config.php, or if you're using a visual tool like PHPMyAdmin, just look at the beginning of the table names to see what they have in common. If you're using the MySQL / MariaDB commandline tools, or a PHP script, you can get a list of tables using SQL:
SHOW TABLES;
By default, WordPress uses the table prefix wp_ so chances are, this is what you'll find. Using this prefix, you want to insert a new user record into the users table, so most likely wp_users. Populate the following SQL with your own values in place of your_username, your_password, Your Name, and your@email.address, also replacing wp_ with the correct prefix for your instance, to create a new users record:
INSERT INTO wp_users (
`user_login`,
`user_pass`,
`user_nicename`,
`user_email`,
`user_registered`,
`user_status`,
`display_name`
) VALUES (
'your_username',
MD5('your_password'),
'Your Name',
'your@email.address',
NOW(),
'0',
'Your Name'
);
Make note of the ID this record was created with. With visual tools like PHPMyAdmin you just need to look at the created record for this, or if you're wrapping this in a PHP script you can use mysqli_insert_id(). If you're doing this with SQL, replace wp_ and your_username in the following:
SELECT `ID` FROM wp_users WHERE `user_login` = 'your_username';
Finally, using this obtained ID in place of user_record_id, and again replacing the wp_ prefix with whatever is correct for your instance, insert two new usermeta records:
INSERT INTO wp_usermeta (
`user_id`,
`meta_key`,
`meta_value`
) VALUES (
'user_record_id',
'wp_capabilities',
'a:1:{s:13:"administrator";s:1:"1";}'
);
INSERT INTO wp_usermeta (
`user_id`,
`meta_key`,
`meta_value`
) VALUES (
'user_record_id',
'wp_user_level',
'10'
);
Together, these three queries create a new user record in the WordPress database, and the appropriate usermeta records to turn it into an admin account. The weak MD5 hashed password will be replaced by WordPress with a more secure, properly salted hash when you first log in. You can now just log in with this user via the WordPress admin panel.
Note that if you're running a security plugin like Wordfence, you'll most likely receive a warning that a new admin account has been created outside of WordPress. This is safe to ignore.
If you're here because your WordPress website has become infected and you're struggling to clean this infection up yourself, please do get in touch. We have tonnes of experience cleaning up, and securing, infected WordPress websites.
Blog posts are written by individuals and do not necessarily depict the opinions or beliefs of QWeb Ltd or its current employees. Any information provided here might be biased or subjective, and might become out of date.
Nobody has commented yet.
Your email address is used to notify you of new comments to this thread, and also to pull your Gravatar image. Your name, email address, and message are stored as encrypted text. You won't be added to any mailing list, and your details won't be shared with any third party.