Emergency WordPress access

April 21st, 2010 – 50 Comments

If you do a lot of WordPress development work, you’re bound to receive WordPress database sometimes that you don’t have an admin account for. We usually test, if possible, on a database the client provides us with. We used to have to go into the database and change an existing user, or add a new one by hand, and well, that wasn’t too optimal.

Quite a while ago I came across a script (mentioned before in a WordPress Scripts post) called emergency.php that partly solved this issue for us, but it was not really what we’d call the answer to all our problems. It sent out an email to the admin saying the password for the admin was changed, something we actually didn’t want to happen, because we couldn’t change the email in the same script. It also didn’t allow us to add a new user, and didn’t have any security restrictions, so leaving it out in the open was quite a horrific experience.

This morning, when I ran into this issue for the gazillionth time, I decided it was time to fix it. So I built a new user manager script, still dubbed emergency.php because basically that’s when you use it. It looks like this:

As you can see it asks for the database password. If you have FTP access, that’s easy enough to come by, but it prevents other people from messing up your site when you accidentally leave the file online. Once you’ve selected a user or chosen to add a new one, and you’ve entered the correct database password, you’ll get a screen like this:

Click for larger version

Clicking “Add user” will add the user to the database, or, if you’re editing an existing user, update it in the database. Easy does it! You can download the file here, enjoy!

Update June 29th 2010: We’ve patched several issues within the file, fixing the empty roles dropdown, not being able to include the required files and some notices. Download the latest version here, links above have been updated too.

50 Responses to Emergency WordPress access

  1. hakre
    By hakre on 13 May, 2010

    Finally (as promised) I was able to put up a post regarding WP Access All Areas. -> http://hakre.wordpress.com/2010/05/11/wpaaa-php-wordpress-access-all-areas/

    It contains a full review and screenshots.

    • Joost de Valk
      By Joost de Valk on 13 May, 2010

      Seen, read and appreciated. Very cool stuff!

  2. Caleb Stauffer
    By Caleb Stauffer on 11 May, 2010

    I just experienced what James Morrison did, about the roles dropdown not being filled. If I edit a pre-existing user, the dropdown is filled with the proper roles, but if I attempt to add a user, it is blank. I looked up the functions being used, and cannot find a reason for it to not work.

  3. Rick @ Resell Rights Ebook Store

    Excellent script. Just what I was looking for. Great work.

  4. Bonnie Boots
    By Bonnie Boots on 6 May, 2010

    This will save me time on client sites. Thanks so much for sharing this useful script!

  5. WordPress Girl
    By WordPress Girl on 4 May, 2010

    Your product just saved me from having a site stolen! Fantastic and took 3 minutes to use.

  6. Caleb Stauffer
    By Caleb Stauffer on 30 April, 2010

    I am using WP 2.9.2 and have tested this script on two of them, and it does not work for either of them. it appears to break after loading wp-blog-header.php, but then seems to break while trying to load wp-admin/includes/template.php. all the required files do exist. any idea as to the problem or solution for this?

    • Joost de Valk
      By Joost de Valk on 30 April, 2010

      “breaks”? What kind of error message are you getting? (define WP_DEBUG as true in wp-config.php to get proper error messages)

      • Caleb Stauffer
        By Caleb Stauffer on 30 April, 2010

        this appears to be the generated error.

        Cannot redeclare cat_rows() (previously declared in /home/xxxxx/public_html/xxxxxx-com/wp-admin/includes/template.php:23)

        • Joost de Valk
          By Joost de Valk on 30 April, 2010

          hmm, does that change if you change require into require_once in the top of the file?

          • Caleb Stauffer
            By Caleb Stauffer on 30 April, 2010

            ok that worked. thanks joost! great script!

  7. Ramon Fincken
    By Ramon Fincken on 30 April, 2010

    Well this is definitely many times better then the method I always use:
    Go to the database (phpmyadmin) change the email of the user to your own email, hit the forgot password option and you’re in. ( Change the email back to client and mail him the new PW :) )

    Thanks Joost!

  8. Mike
    By Mike on 29 April, 2010

    Thanks for this scripts. I was known to go into MYSQL database via phpmyadmin (Plesk in my case) and change the encrypted password and keep copy of the old password. Once work done, change old password in database itself…

  9. Mike Devarenne
    By Mike Devarenne on 27 April, 2010

    I used this script on a site for a new client. Worked perfectly! (Then I deleted the file from the server — just to be safe.)

    Thank you Joost for all you do for the WordPress community!

  10. Janice
    By Janice on 27 April, 2010

    Does this open the site up to being hacked?

    • hakre
      By hakre on 2 May, 2010

      For the wpaaa.php (wordpress access all areas) I have some other approach then Yoast. The first person who requests the file gains access. This is normally the person who just uploaded the file to gain access to the Blog. Everybody else then will only get a 401 – gone message. I named this a lockdown mechanism. It’s very handy because you do not need to lookup any passwords while doing a secure approach. Perfect for a quick support job.

      So wpaaa won’t leave the Blog open to attacks while giving the uploader full control. In case this mechanism does not work, wpaaa automatically blocks it’s usage.

      Next to that, the script does not link external resources like images, so it works in closed environments as well. Maybe I should write a better review of it… .

    • Joost de Valk
      By Joost de Valk on 27 April, 2010

      Nope, that’s why the database password is asked, only someone with ftp access could have access to that.

  11. Valerie
    By Valerie on 26 April, 2010

    Thanks for a handy script. I’ve run into similar situations and this is much easier than diddling around in the DB.

  12. @pjhanse
    By @pjhanse on 26 April, 2010

    Nicely done! Thank you :)

  13. Ashfame
    By Ashfame on 26 April, 2010

    Couldn’t it have been easier if you would have load WordPress environment and then used WordPress functions only?

    • Joost de Valk
      By Joost de Valk on 26 April, 2010

      This uses mostly the WordPress internal functions where possible, so in effect it does do that, and yes it loads parts of WordPress.

      • Ashfame
        By Ashfame on 26 April, 2010

        Now I will take a look :)

  14. James Morrison
    By James Morrison on 25 April, 2010

    Awesome idea / script! I’ve tried adding a new user but can’t select a user role (drop down list is blank) and user has no role in wp-admin.

    Am I missing something??

    Cheers Joost

    • James Morrison
      By James Morrison on 26 April, 2010

      WP 2.9.2 / Put the file in the root of the WP directory.

      I did rename the file to wp-emergency.php but I guess that shouldn’t make a difference?


    • Joost de Valk
      By Joost de Valk on 26 April, 2010

      Which version of WP? Where did you place the file?

  15. Jen
    By Jen on 25 April, 2010

    great stuff Joost

  16. Malik
    By Malik on 23 April, 2010

    Making any thing in hurry is not good and makes certain problems for others but your approach seems quiet beneficial and applicable…

  17. hakre
    By hakre on 22 April, 2010

    In support I have a similar tool: It comes with auto-configuration by looking up needed values from the configuration file, creates a new admin-user on a click and then offers to automatically log you in on a second click. WordPress Backend openes in a new tab and voila!

    As a security measurement, it will automatically locks itself down, so an attacker can not open the file after the support personnel requested it. Next to this is has a self-delete button as well, so you can clean up afterwards.

    It works well in those cases where you have FTP access but the customer did not tell you about the backend password.

    Needs PHP 5 and works with PHP 2.8 and above I think (those versions which do use PHPASS not MD5 as hashing algo in the database). Let me know if this sounds interesting, I think I can put this online, it’s licensed under AGPL.

    • Joost de Valk
      By Joost de Valk on 22 April, 2010

      sounds very cool, please share!

      • hakre
        By hakre on 23 April, 2010

        ToolPress WP Access All Areas

        Gain admin access to a wordpress installation web-based, quickly and with ease.

        File : http://toolpress.de/wpaaa.php
        Download : http://toolpress.de/wpaaa.php?c=file/download/wpaaa.php (see footer)

        Licensed under AGPL, has build in source-code viewer and file browser:

        Viewer: http://toolpress.de/wpaaa.php?c=file/source/wpaaa.php
        Browser: http://toolpress.de/wpaaa.php?c=file/browse

        PHP 5 . something

        – Copy into a wordpress installation directory.
        – Request wpaaa.php with a browser.
        – Click Buttons.

        Process that is executing the file needs to have write rights to the file. This is for creating a secret lockdown session code on the fly that is stored inside the file.
        You can do this manually before uploading the file by adding it at (after the comment in there) the end of file:

        /* X-LOCKDOWN: your-secret-lockdown-code */

        Then request the file including your (urlencoded if needed) secret code:


        The lockdown session protects the file from being accessed from third parties, e.g. when a supporter forgets the file on a customers server.

  18. Travis Quinnelly
    By Travis Quinnelly on 21 April, 2010

    Awesome sir. This will come in handy!

  19. Daniel Groves
    By Daniel Groves on 21 April, 2010

    Awesome! Will achieve a copy of this for when the time comes!

  20. Adam W. Warner
    By Adam W. Warner on 21 April, 2010

    Uploading the .zip through the plugins “Add New” menu returns “This plugin does not have a valid

    • Joost de Valk
      By Joost de Valk on 21 April, 2010

      Ehm, it’s not a plugin Adam :) It’s actually meant for those times when you do not have access to plugins anymore :)

      • Adam W. Warner
        By Adam W. Warner on 21 April, 2010

        Well, don’t I feel silly! Duh! Sometimes, I need to slow down:)

        Thanks for clearing that up for me:)

  21. Leon
    By Leon on 21 April, 2010

    Thanks for this but had to figure out where to upload it to myself!?

    • Joost de Valk
      By Joost de Valk on 21 April, 2010

      Into the wordpress root directory, should have stated that I guess :)

  22. Andy Symonds
    By Andy Symonds on 21 April, 2010

    This looks really handy Joost. I have got clients in the past to install the PHP MyAdmin WordPress plugin but this will be much easier. Top work as usual!

  23. Rafie
    By Rafie on 21 April, 2010

    Such a brilliant solutions. Thumbs up!

    If you could add CAPTCHA on the User Manager page, that would be awesome as it might prevent some nasty things to try the database password several times. Possible?

Check out our must read articles about Analytics