Last updated December 5th, 2023 22:51
Creating a WordPress user typically happens in two ways. The first is the classic method through the administration interface, and the second, for more experienced users, involves working directly in the database. However, let’s explore a third method that allows you to create a WordPress user very conveniently. In this article, we’ll demonstrate how to create a WordPress admin user using a script and FTP. The principle is simple: we’ll create a PHP file that we’ll easily upload to the website’s FTP. Subsequently, we’ll call it in a browser, and the magic will happen.
The script will generate a user with administrative privileges, show you their password, and then, like in an action movie, delete itself from the FTP. Let’s get into it.
How to Create a WordPress Admin User Using a Script and FTP
What will you need? Not much, just a simple text editor and FTP access to the website. In this specific case, it doesn’t matter whether you access the FTP through an FTP client or via a webFTP service provided by the web host.
The following script performs these actions:
- creates a new WordPress user with the username ‘wpuser’
- assigns administrator rights to this user
- shows you the password generated for this user
- deletes itself from the FTP to erase traces
What’s the purpose of such a script? For instance, in a situation where you’ve forgotten a password, the user’s contact email isn’t functional, and you’re unable to work with the database. The second possibility could arise when you only have FTP access and want to get into WordPress without knowing the access credentials. Certainly, this could be done differently. Via FTP, you’d find the database access, log into phpMyAdmin, and change the hash. However, this method is a bit easier and faster without altering the original website administrator’s password.
Script for creating a user using FTP:
<?php
// ADD NEW ADMIN USER TO WORDPRESS
// ----------------------------------
// Put this file in your WordPress root directory and run it from your browser.
// Delete it when you're done.
require_once('wp-blog-header.php');
require_once('wp-includes/registration.php');
function generateStrongPassword($length = 15, $add_dashes = false, $available_sets = 'luds') {
$sets = array();
if(strpos($available_sets, 'l') !== false)
$sets[] = 'abcdefghjkmnpqrstuvwxyz';
if(strpos($available_sets, 'u') !== false)
$sets[] = 'ABCDEFGHJKMNPQRSTUVWXYZ';
if(strpos($available_sets, 'd') !== false)
$sets[] = '23456789';
if(strpos($available_sets, 's') !== false)
$sets[] = '!@#$%&*?';
$all = '';
$password = '';
foreach($sets as $set) {
$password .= $set[tweak_array_rand(str_split($set))];
$all .= $set;
}
$all = str_split($all);
for($i = 0; $i < $length - count($sets); $i++)
$password .= $all[tweak_array_rand($all)];
$password = str_shuffle($password);
if(!$add_dashes)
return $password;
$dash_len = floor(sqrt($length));
$dash_str = '';
while(strlen($password) > $dash_len) {
$dash_str .= substr($password, 0, $dash_len) . '-';
$password = substr($password, $dash_len);
}
$dash_str .= $password;
return $dash_str;
}
$form = "<form action='' method='POST' style='margin: 20px 0 10px 0;'><button type='submit' name='removefile'>Smazat soubor</button></form>";
// Take a array and get random index, same function of array_rand, only diference is
// intent use secure random algoritn on fail use mersene twistter, and on fail use default array_rand
function tweak_array_rand($array){
if (function_exists('random_int')) {
return random_int(0, count($array) - 1);
} elseif(function_exists('mt_rand')) {
return mt_rand(0, count($array) - 1);
} else {
return array_rand($array);
}
}
echo "<div class='wpuser'>";
// ----------------------------------------------------
// CONFIG VARIABLES
// Make sure that you set these before running the file.
$newusername = 'wpuser';
$newpassword = generateStrongPassword(24);
$newemail = 'adresa@domena.koncovka';
// ----------------------------------------------------
// This is just a security precaution, to make sure the above "Config Variables"
// have been changed from their default values.
if ( $newpassword != 'YOURPASSWORD' && $newemail != 'YOUREMAIL@TEST.com' && $newusername !='YOURUSERNAME' ) {
// Check that user doesn't already exist
if ( !username_exists($newusername) && !email_exists($newemail) )
{
// Create user and set role to administrator
$user_id = wp_create_user( $newusername, $newpassword, $newemail);
if ( is_int($user_id) )
{
$wp_user_object = new WP_User($user_id);
$wp_user_object->set_role('administrator');
if(is_multisite()) {
grant_super_admin($user_id);
$sites = get_sites();
$user_info = [
"capabilities" => get_user_meta($user_id, "wp_capabilities", true),
"user_level" => get_user_meta($user_id, "wp_user_level", true)
];
foreach($sites as $site) {
update_user_meta($user_id, "wp_" . $site->blog_id . "_capabilities", $user_info['capabilities']);
update_user_meta($user_id, "wp_" . $site->blog_id . "_user_level", $user_info['user_level']);
}
}
echo '<p style="color: #428b42">Účet wpuser byl úspěšně vytvořen.</p><br>';
echo "Uživatelské jméno<br><span class='user-select-all'>" . $newusername . "</span><br>E-mailová adresa<span class='user-select-all'>" . $newemail . "</span><br>";
echo "Heslo<strong class='user-select-all'>" . $newpassword . "</strong>";
echo "<span style='font-weight:bold;color:#FF0000;margin-top:20px;'>Aktuální soubor byl smazán.</span>";
unlink(__FILE__);
}
else {
echo 'Během vytváření uživatele wpuser došlo k chybě.';
echo $form;
}
} else {
echo 'Administrátorský účet wpuser již existuje!';
echo $form;
}
}
else {
echo 'Vypadá to, že nebylo vyplněno heslo, uživatelské jméno nebo e-mail. Zkuste to znovu.';
echo $form;
}
if(isset($_POST['removefile'])) {
unlink(__FILE__);
echo "<span style='font-weight:bold;color:#FF0000'>Aktuální soubor byl smazán.</span>";
}
echo "</div>";
What should I do with the script?
First, create a new text document. Copy the PHP code provided above into it. Save the text file and name it user.php. Notice that you’ve changed the file extension from .txt to .php in the filename. That’s fine. Upload this file to the same folder on FTP where you have WordPress installed. Then, execute the file. Type the file’s URL into your browser. In this case, it will be your-domain.extension/user.php.
The script will run, create a user with admin privileges in WordPress, show you the access details, and then delete itself. Now you can use these credentials to log in.
How to create a WordPress admin user using a script and FTP
Conclusion
Use the script judiciously. Its primary function isn’t to infiltrate someone’s editorial system without their knowledge. Essentially, it serves as an emergency system for forgotten passwords, providing an alternative solution.
The website is created with care for the included information. I strive to provide high-quality and useful content that helps or inspires others. If you are satisfied with my work and would like to support me, you can do so through simple options.
Subscribe to the Newsletter
Stay informed! Join our newsletter subscription and be the first to receive the latest information directly to your email inbox. Follow updates, exclusive events, and inspiring content, all delivered straight to your email.
