If you do a lot of WordPress development work, you're bound to receive WordPress database sometimes that you don't have an admin account for. We at OrangeValley at least, do have that issue. We usually test, if possible, on a database the client provides us with. We used to have to go into the database and change an existing user, or add a new one by hand, and well, that wasn't too optimal.
Quite a while ago I came across a script (mentioned before in a WordPress Scripts post) called emergency.php that partly solved this issue for us, but it was not really what we'd call the answer to all our problems. It sent out an email to the admin saying the password for the admin was changed, something we actually didn't want to happen, because we couldn't change the email in the same script. It also didn't allow us to add a new user, and didn't have any security restrictions, so leaving it out in the open was quite a horrific experience.
This morning, when I ran into this issue for the gazillionth time, I decided it was time to fix it. So I built a new user manager script, still dubbed emergency.php because basically that's when you use it. It looks like this:
As you can see it asks for the database password. If you have FTP access, that's easy enough to come by, but it prevents other people from messing up your site when you accidentally leave the file online. Once you've selected a user or chosen to add a new one, and you've entered the correct database password, you'll get a screen like this:
Click for larger version
Clicking "Add user" will add the user to the database, or, if you're editing an existing user, update it in the database. Easy does it! You can download the file here, enjoy!
Update June 29th 2010: We've patched several issues within the file, fixing the empty roles dropdown, not being able to include the required files and some notices. Download the latest version here, links above have been updated too.
Such a brilliant solutions. Thumbs up!
Suggestion:
If you could add CAPTCHA on the User Manager page, that would be awesome as it might prevent some nasty things to try the database password several times. Possible?
This looks really handy Joost. I have got clients in the past to install the PHP MyAdmin WordPress plugin but this will be much easier. Top work as usual!
Thanks for this but had to figure out where to upload it to myself!?
Into the wordpress root directory, should have stated that I guess :)
Uploading the .zip through the plugins "Add New" menu returns "This plugin does not have a valid
header."
Ehm, it's not a plugin Adam :) It's actually meant for those times when you do not have access to plugins anymore :)
Well, don't I feel silly! Duh! Sometimes, I need to slow down:)
Thanks for clearing that up for me:)
Awesome! Will achieve a copy of this for when the time comes!
Awesome sir. This will come in handy!
In support I have a similar tool: It comes with auto-configuration by looking up needed values from the configuration file, creates a new admin-user on a click and then offers to automatically log you in on a second click. WordPress Backend openes in a new tab and voila!
As a security measurement, it will automatically locks itself down, so an attacker can not open the file after the support personnel requested it. Next to this is has a self-delete button as well, so you can clean up afterwards.
It works well in those cases where you have FTP access but the customer did not tell you about the backend password.
Needs PHP 5 and works with PHP 2.8 and above I think (those versions which do use PHPASS not MD5 as hashing algo in the database). Let me know if this sounds interesting, I think I can put this online, it's licensed under AGPL.
sounds very cool, please share!
ToolPress WP Access All Areas
wpaaa.php
Gain admin access to a wordpress installation web-based, quickly and with ease.
File : http://toolpress.de/wpaaa.php
Download : http://toolpress.de/wpaaa.php?c=file/download/wpaaa.php (see footer)
Licensed under AGPL, has build in source-code viewer and file browser:
Viewer: http://toolpress.de/wpaaa.php?c=file/source/wpaaa.php
Browser: http://toolpress.de/wpaaa.php?c=file/browse
Requirements:
PHP 5 . something
Usage:
- Copy into a wordpress installation directory.
- Request wpaaa.php with a browser.
- Click Buttons.
Limitations:
Process that is executing the file needs to have write rights to the file. This is for creating a secret lockdown session code on the fly that is stored inside the file.
You can do this manually before uploading the file by adding it at (after the comment in there) the end of file:
/* X-LOCKDOWN: your-secret-lockdown-code */
Then request the file including your (urlencoded if needed) secret code:
wpaaa.php?ld=your-secret-lockdown-code
The lockdown session protects the file from being accessed from third parties, e.g. when a supporter forgets the file on a customers server.
Making any thing in hurry is not good and makes certain problems for others but your approach seems quiet beneficial and applicable...
great stuff Joost
Awesome idea / script! I've tried adding a new user but can't select a user role (drop down list is blank) and user has no role in wp-admin.
Am I missing something??
Cheers Joost
Which version of WP? Where did you place the file?
WP 2.9.2 / Put the file in the root of the WP directory.
I did rename the file to wp-emergency.php but I guess that shouldn't make a difference?
Thanks
Couldn't it have been easier if you would have load WordPress environment and then used WordPress functions only?
This uses mostly the WordPress internal functions where possible, so in effect it does do that, and yes it loads parts of WordPress.
Now I will take a look :)
Nicely done! Thank you :)
Thanks for a handy script. I've run into similar situations and this is much easier than diddling around in the DB.
Does this open the site up to being hacked?
Nope, that's why the database password is asked, only someone with ftp access could have access to that.
For the wpaaa.php (wordpress access all areas) I have some other approach then Yoast. The first person who requests the file gains access. This is normally the person who just uploaded the file to gain access to the Blog. Everybody else then will only get a 401 - gone message. I named this a lockdown mechanism. It's very handy because you do not need to lookup any passwords while doing a secure approach. Perfect for a quick support job.
So wpaaa won't leave the Blog open to attacks while giving the uploader full control. In case this mechanism does not work, wpaaa automatically blocks it's usage.
Next to that, the script does not link external resources like images, so it works in closed environments as well. Maybe I should write a better review of it... .
I used this script on a site for a new client. Worked perfectly! (Then I deleted the file from the server -- just to be safe.)
Thank you Joost for all you do for the WordPress community!
Thanks for this scripts. I was known to go into MYSQL database via phpmyadmin (Plesk in my case) and change the encrypted password and keep copy of the old password. Once work done, change old password in database itself...
Well this is definitely many times better then the method I always use:
Go to the database (phpmyadmin) change the email of the user to your own email, hit the forgot password option and you're in. ( Change the email back to client and mail him the new PW :) )
Thanks Joost!
I am using WP 2.9.2 and have tested this script on two of them, and it does not work for either of them. it appears to break after loading wp-blog-header.php, but then seems to break while trying to load wp-admin/includes/template.php. all the required files do exist. any idea as to the problem or solution for this?
"breaks"? What kind of error message are you getting? (define WP_DEBUG as true in wp-config.php to get proper error messages)
this appears to be the generated error.
Cannot redeclare cat_rows() (previously declared in /home/xxxxx/public_html/xxxxxx-com/wp-admin/includes/template.php:23)
hmm, does that change if you change require into require_once in the top of the file?
ok that worked. thanks joost! great script!
Your product just saved me from having a site stolen! Fantastic and took 3 minutes to use.
This will save me time on client sites. Thanks so much for sharing this useful script!
Excellent script. Just what I was looking for. Great work.
I just experienced what James Morrison did, about the roles dropdown not being filled. If I edit a pre-existing user, the dropdown is filled with the proper roles, but if I attempt to add a user, it is blank. I looked up the functions being used, and cannot find a reason for it to not work.
any ideas joost?
Not yet... Will try and replicate later :)
Finally (as promised) I was able to put up a post regarding WP Access All Areas. -> http://hakre.wordpress.com/2010/05/11/wpaaa-php-wordpress-access-all-areas/
It contains a full review and screenshots.
Seen, read and appreciated. Very cool stuff!