Skip to content

Instantly share code, notes, and snippets.

@milanchymcak

milanchymcak/hack-wordpress-admin-without-password.md

Last active September 14, 2022 15:56
Show Gist options
  • Save milanchymcak/5f5bd216ff6e30b5adac9a50abb04bce to your computer and use it in GitHub Desktop.
Save milanchymcak/5f5bd216ff6e30b5adac9a50abb04bce to your computer and use it in GitHub Desktop.
Download ZIP
"Hack" into WordPress admin area without password
Raw
hack-wordpress-admin-without-password.md

Regain access to WordPress installation without password or even username

Create a file anywhere in your WordPress installation and access the file directly through your browser. You will be redirected to the WP admin area without even having a password or username.

Please, delete the following lines from your production site after usage. Your website can be easily hacked or exploited with the following script.

/** Set up WordPress environment */
if(!defined('ABSPATH')) require_once($_SERVER['DOCUMENT_ROOT'] . '/wp-load.php');

/** Call global $wpdb object, which provides access to the WordPress database */
global $wpdb;

/** Get all users from 'wp_users' */
$wp_users = $wpdb->get_results("SELECT ID FROM $wpdb->users");
foreach($wp_users as $wp_user) {

    /** 
     * Skip all non-administrators users
     * Can switch to 'editor', 'author', 'contributor' or 'subscriber'
     */
    if(!user_can($wp_user->ID, 'administrator')) continue;

    /** 
     * Information from WP_User Object 
     * Must have user_login in order to continue
     */
    $wp_user_info = get_userdata($wp_user->ID);
    if(!isset($wp_user_info->user_login)) continue;

    /** 
     * Set current (found) user
     * Set authentication cookie aswell
     */
    wp_set_current_user($wp_user->ID, $wp_user_info->user_login);
    wp_set_auth_cookie($wp_user->ID);
    do_action('wp_login', $wp_user_info->user_login);

    /** 
     * Redirect to the WP Admin Area 
     * 
     * Trying to retrieve the url of the admin area with get_admin_url();
     * @link https://developer.wordpress.org/reference/functions/get_admin_url/
     */
    if(function_exists('get_admin_url')) wp_redirect(get_admin_url()) && die('Logged as ' . $wp_user_info->user_login);

    /** 
     * Trying to retrieve the url of the admin area with get_bloginfo('wpurl');
     * Output of get_option('siteurl') is (and should be) the same as get_bloginfo('wpurl')
     * @link https://developer.wordpress.org/reference/functions/get_admin_url/
     */
    if(get_option('siteurl')) wp_redirect(get_bloginfo('wpurl') . '/wp-admin') && die('Logged as ' . $wp_user_info->user_login);

    /** 
     * If above methods fails, trz with simple redirect through $_SERVER
     * Some $_SERVER variables aren't accessible from command line
     */
    if(isset($_SERVER) && isset($_SERVER['HTTP_HOST'])) wp_redirect('https://' . $_SERVER['HTTP_HOST'] . '/wp-admin/') && die('Logged as ' . $wp_user_info->user_login);

    /** 
     * Fallback if we can't redirect to the WP Admin area
     */
    die('Logged as ' . $wp_user_info->user_login . '. Please continue in /wp-admin/ area.');
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment