Create WordPress Admin User via PHP (FTP Access Only)

Introduction

I had an agency come to me asking if I could get access to a site’s WordPress admin. All they had were a bunch of logins, none of which were for WordPress or the hosting provider’s control panel.

They were all SCP/ssh related and SSH was not open at all. However, FTP was open! I found the hosting provider used cPanel but blocked direct access via domain.com/cpanel. I assumed they proxy cPanel through their own Control Panel. Reading their documentation I found the naming scheme for FTP accounts. Tried some combinations and got in!

The next step was to get a WordPress user created via PHP. So I googled a bit and found this code snippet on WP Scholar – https://wpscholar.com/blog/add-wordpress-admin-user-via-php

I’ve also provided it here just incase the Github source disappears.

<?php

add_action( 'init', function () {
  
	$username = 'admin';
	$password = 'password';
	$email_address = 'webmaster@mydomain.com';

	if ( ! username_exists( $username ) ) {
		$user_id = wp_create_user( $username, $password, $email_address );
		$user = new WP_User( $user_id );
		$user->set_role( 'administrator' );
	}
	
} );

Change the username, password and email_address variables above and then upload this file into the directory “wp-content/mu-plugins”. When you visit the admin login page, it will run the code and genereate your new user.

You now have access to the WordPress site again! The agency just needed this login to move the site to new hosting, so it worked out well!