Emergency WordPress access
If you do a lot of WordPress development work, you're bound to receive WordPress database sometimes that you don't have an admin account for. We at OrangeValley at least, do have that issue. We usually test, if possible, on a database the client provides us with. We used to have to go into the database and change an existing user, or add a new one by hand, and well, that wasn't too optimal.
Quite a while ago I came across a script (mentioned before in a WordPress Scripts post) called emergency.php that partly solved this issue for us, but it was not really what we'd call the answer to all our problems. It sent out an email to the admin saying the password for the admin was changed, something we actually didn't want to happen, because we couldn't change the email in the same script. It also didn't allow us to add a new user, and didn't have any security restrictions, so leaving it out in the open was quite a horrific experience.
This morning, when I ran into this issue for the gazillionth time, I decided it was time to fix it. So I built a new user manager script, still dubbed emergency.php because basically that's when you use it. It looks like this:
As you can see it asks for the database password. If you have FTP access, that's easy enough to come by, but it prevents other people from messing up your site when you accidentally leave the file online. Once you've selected a user or chosen to add a new one, and you've entered the correct database password, you'll get a screen like this:
Click for larger version
Clicking "Add user" will add the user to the database, or, if you're editing an existing user, update it in the database. Easy does it! You can download the file here, enjoy!
Update June 29th 2010: We've patched several issues within the file, fixing the empty roles dropdown, not being able to include the required files and some notices. Download the latest version here, links above have been updated too.
PDF Tags: WordPress development
Category: WordPress
You can skip to the end and leave a response.
Other posts you might like:
50 Responses to “Emergency WordPress access”
Comments closed, if you feel you have something to say:
drop me a line.
WordPress SEO Plugin
Yoast's all in one SEO solution for your WordPress blog: SEO titles, meta descriptions, XML sitemaps, breadcrumbs & much more.
Pingback: Simple scripts for speedy WordPress actions - Yoast - Tweaking Websites
by Rafie on 21 April, 2010 at 12:42
Such a brilliant solutions. Thumbs up!
Suggestion:
If you could add CAPTCHA on the User Manager page, that would be awesome as it might prevent some nasty things to try the database password several times. Possible?
by Andy Symonds on 21 April, 2010 at 12:46
This looks really handy Joost. I have got clients in the past to install the PHP MyAdmin WordPress plugin but this will be much easier. Top work as usual!
by Leon on 21 April, 2010 at 14:12
Thanks for this but had to figure out where to upload it to myself!?
by Joost de Valk on 21 April, 2010 at 14:16
Into the wordpress root directory, should have stated that I guess :)
by Adam W. Warner on 21 April, 2010 at 14:43
Uploading the .zip through the plugins "Add New" menu returns "This plugin does not have a valid
header."
by Joost de Valk on 21 April, 2010 at 14:54
Ehm, it's not a plugin Adam :) It's actually meant for those times when you do not have access to plugins anymore :)
by Adam W. Warner on 21 April, 2010 at 14:58
Well, don't I feel silly! Duh! Sometimes, I need to slow down:)
Thanks for clearing that up for me:)
by Daniel Groves on 21 April, 2010 at 19:33
Awesome! Will achieve a copy of this for when the time comes!
by Travis Quinnelly on 21 April, 2010 at 19:55
Awesome sir. This will come in handy!
Pingback: Emergency WordPress access | emergency.php – Yoast « Open Source Scripts
Pingback: How To Generate MLM Leads With The Facebook Share Button - Tvi-Vacations.com
by hakre on 22 April, 2010 at 09:24
In support I have a similar tool: It comes with auto-configuration by looking up needed values from the configuration file, creates a new admin-user on a click and then offers to automatically log you in on a second click. WordPress Backend openes in a new tab and voila!
As a security measurement, it will automatically locks itself down, so an attacker can not open the file after the support personnel requested it. Next to this is has a self-delete button as well, so you can clean up afterwards.
It works well in those cases where you have FTP access but the customer did not tell you about the backend password.
Needs PHP 5 and works with PHP 2.8 and above I think (those versions which do use PHPASS not MD5 as hashing algo in the database). Let me know if this sounds interesting, I think I can put this online, it's licensed under AGPL.
by Joost de Valk on 22 April, 2010 at 09:28
sounds very cool, please share!
by hakre on 23 April, 2010 at 02:09
ToolPress WP Access All Areas
wpaaa.php
Gain admin access to a wordpress installation web-based, quickly and with ease.
File : http://toolpress.de/wpaaa.php
Download : http://toolpress.de/wpaaa.php?c=file/download/wpaaa.php (see footer)
Licensed under AGPL, has build in source-code viewer and file browser:
Viewer: http://toolpress.de/wpaaa.php?c=file/source/wpaaa.php
Browser: http://toolpress.de/wpaaa.php?c=file/browse
Requirements:
PHP 5 . something
Usage:
- Copy into a wordpress installation directory.
- Request wpaaa.php with a browser.
- Click Buttons.
Limitations:
Process that is executing the file needs to have write rights to the file. This is for creating a secret lockdown session code on the fly that is stored inside the file.
You can do this manually before uploading the file by adding it at (after the comment in there) the end of file:
/* X-LOCKDOWN: your-secret-lockdown-code */
Then request the file including your (urlencoded if needed) secret code:
wpaaa.php?ld=your-secret-lockdown-code
The lockdown session protects the file from being accessed from third parties, e.g. when a supporter forgets the file on a customers server.
by Malik on 23 April, 2010 at 11:48
Making any thing in hurry is not good and makes certain problems for others but your approach seems quiet beneficial and applicable...
by Jen on 25 April, 2010 at 10:24
great stuff Joost
by James Morrison on 25 April, 2010 at 14:10
Awesome idea / script! I've tried adding a new user but can't select a user role (drop down list is blank) and user has no role in wp-admin.
Am I missing something??
Cheers Joost
by Joost de Valk on 26 April, 2010 at 11:21
Which version of WP? Where did you place the file?
by James Morrison on 26 April, 2010 at 11:22
WP 2.9.2 / Put the file in the root of the WP directory.
I did rename the file to wp-emergency.php but I guess that shouldn't make a difference?
Thanks
Pingback: Emergency WordPress access | WPLover
by Ashfame on 26 April, 2010 at 09:00
Couldn't it have been easier if you would have load WordPress environment and then used WordPress functions only?
by Joost de Valk on 26 April, 2010 at 11:20
This uses mostly the WordPress internal functions where possible, so in effect it does do that, and yes it loads parts of WordPress.
by Ashfame on 26 April, 2010 at 11:49
Now I will take a look :)
by @pjhanse on 26 April, 2010 at 10:27
Nicely done! Thank you :)
Pingback: Cómo recuperar la contraseña de tu blog por ftp
by Valerie on 26 April, 2010 at 16:16
Thanks for a handy script. I've run into similar situations and this is much easier than diddling around in the DB.
by Janice on 27 April, 2010 at 12:39
Does this open the site up to being hacked?
by Joost de Valk on 27 April, 2010 at 15:10
Nope, that's why the database password is asked, only someone with ftp access could have access to that.
by hakre on 2 May, 2010 at 07:50
For the wpaaa.php (wordpress access all areas) I have some other approach then Yoast. The first person who requests the file gains access. This is normally the person who just uploaded the file to gain access to the Blog. Everybody else then will only get a 401 - gone message. I named this a lockdown mechanism. It's very handy because you do not need to lookup any passwords while doing a secure approach. Perfect for a quick support job.
So wpaaa won't leave the Blog open to attacks while giving the uploader full control. In case this mechanism does not work, wpaaa automatically blocks it's usage.
Next to that, the script does not link external resources like images, so it works in closed environments as well. Maybe I should write a better review of it... .
by Mike Devarenne on 27 April, 2010 at 18:56
I used this script on a site for a new client. Worked perfectly! (Then I deleted the file from the server -- just to be safe.)
Thank you Joost for all you do for the WordPress community!
Pingback: Acces de urgență la blogul tău WordPress | WP Tuts
by Mike on 29 April, 2010 at 13:57
Thanks for this scripts. I was known to go into MYSQL database via phpmyadmin (Plesk in my case) and change the encrypted password and keep copy of the old password. Once work done, change old password in database itself...
Pingback: Emergency WordPress access | emergency.php – Yoast | Source code bank
by Ramon Fincken on 30 April, 2010 at 14:19
Well this is definitely many times better then the method I always use:
Go to the database (phpmyadmin) change the email of the user to your own email, hit the forgot password option and you're in. ( Change the email back to client and mail him the new PW :) )
Thanks Joost!
by Caleb Stauffer on 30 April, 2010 at 22:40
I am using WP 2.9.2 and have tested this script on two of them, and it does not work for either of them. it appears to break after loading wp-blog-header.php, but then seems to break while trying to load wp-admin/includes/template.php. all the required files do exist. any idea as to the problem or solution for this?
by Joost de Valk on 30 April, 2010 at 22:42
"breaks"? What kind of error message are you getting? (define WP_DEBUG as true in wp-config.php to get proper error messages)
by Caleb Stauffer on 30 April, 2010 at 22:42
this appears to be the generated error.
Cannot redeclare cat_rows() (previously declared in /home/xxxxx/public_html/xxxxxx-com/wp-admin/includes/template.php:23)
by Joost de Valk on 30 April, 2010 at 22:43
hmm, does that change if you change require into require_once in the top of the file?
by Caleb Stauffer on 30 April, 2010 at 22:45
ok that worked. thanks joost! great script!
by WordPress Girl on 4 May, 2010 at 05:42
Your product just saved me from having a site stolen! Fantastic and took 3 minutes to use.
Pingback: Bookmarks der Woche – Google, SEO-Tools, SEO-Verträge, Twitter und Wordpress - Webworker Blog - Social Media - Online-Marketing - Suchmaschinenoptimierung
by Bonnie Boots on 6 May, 2010 at 21:29
This will save me time on client sites. Thanks so much for sharing this useful script!
by Rick @ Resell Rights Ebook Store on 7 May, 2010 at 13:34
Excellent script. Just what I was looking for. Great work.
by Caleb Stauffer on 11 May, 2010 at 20:02
I just experienced what James Morrison did, about the roles dropdown not being filled. If I edit a pre-existing user, the dropdown is filled with the proper roles, but if I attempt to add a user, it is blank. I looked up the functions being used, and cannot find a reason for it to not work.
by Caleb Stauffer on 14 May, 2010 at 20:18
any ideas joost?
by Joost de Valk on 14 May, 2010 at 20:23
Not yet... Will try and replicate later :)
Pingback: WPAAA.PHP – WordPress Access All Areas | hakre on wordpress
by hakre on 13 May, 2010 at 00:11
Finally (as promised) I was able to put up a post regarding WP Access All Areas. -> http://hakre.wordpress.com/2010/05/11/wpaaa-php-wordpress-access-all-areas/
It contains a full review and screenshots.
by Joost de Valk on 13 May, 2010 at 07:42
Seen, read and appreciated. Very cool stuff!