Pixelbart

Create and log in a WordPress administrator with FTP

Create and log in a WordPress administrator with FTP

Kevin Pliester's photo
Kevin Pliester
·

4 min read

Table of contents

When there are problems with one's WordPress website, it happens that one has to create a user without having access to the database or the WordPress admin. Then it is useful to be able to create or log in a user using FTP. So here you will learn how to use a Must Use Plugin to create and log in an administrator for WordPress.

Create Must Use Plugin

A Must Use plugin is always loaded before all other plugins, and it does not need to be activated like other plugins. Once created, WordPress automatically uses it. In addition, a Must Use Plugin is not visible in the WordPress admin without any effort.

To create a Must Use Plugin, we first need the folder mu-plugins inside wp-content. The path should look like this: /wp-content/mu-plugins/

Then we create a PHP file there. The name doesn't matter at all, and there doesn't have to be anything else in the file. Unlike normal plugins, no plugin header is necessary. As soon as the PHP file is there in the folder, it will be loaded by WordPress, so you can really write anything into the file.

In our example, the file is now called insert-admin.php, and we put it in the directory /wp-content/mu-plugins/.

# /wp-content/mu-plugins/insert-admin.php

Create a WordPress administrator

Creating a user with PHP is not complicated because we use the function wp_insert_user. Because our Must Use Plugin is loaded automatically, the wp_insert_user is always executed. Since we like to work with hooks, we use our favorite hook, namely template_redirect. This hook is executed every time the pages reloaded and is super for executing redirects, which is something we want to do in the end. We wish to redirect our created user to the admin area.

# /wp-content/mu-plugins/insert-admin.php

// Every time the page reloads,
// our script should be executed
add_action('template_redirect', function () {

    // Only if we enter domain.de?insert_admin,
    // our script will be executed
    if (!isset($_GET['insert_admin')) {
        return;
    }

    $data = [
        'user_login' => 'new_admin', // login name
        'user_email' => 'admin(at)hashnode.com', // email
        'user_pass' => '123456', // clear text password
        'role' => 'administrator', // role
    ];

    // This checks if the user
    // already exists
    $user = get_user_by('email', $data['user_email']);

    if (!$user) {
        $user_id = wp_insert_user($data);

        if ($user_id) {
            // Will be executed as soon as the user
            // has been created.
        }

        // We stop the script here,
        // so that everything after that is not
        // will be executed
        return;
    }

    // If the user already exists,
    // we put the ID into a variable.
    $user_id = $user->ID;
});

If we now call the URL domain.de?insert_admin, then a user is created, if not existing. So, the user new_admin with the email admin(at)hashnode.com is now created.

Log in user with PHP

We can now theoretically switch to the WordPress admin and log in normally with the credentials we have set. But we could also write a script that logs us in automatically.

# /wp-content/mu-plugins/insert-admin.php

/**
 * Herewith we register the user and redirect to the
 * WordPress admin. We only need here
 * the user ID.
 * 
 * @param int $user_id ID of the user.
 */
function pxbt_login_user(int $user_id)
{
    wp_clear_auth_cookie();
    wp_set_current_user($user_id);
    wp_set_auth_cookie($user_id);
    wp_safe_redirect(user_admin_url());
    exit();
}

Now we can log in any user, if we have the ID. For this, we then do the following: pxbt_login_user(1234); we are redirected to the admin area, as a logged-in user with the ID 1234. We now add this to our script above so that everything happens at the same time.

Full example

# /wp-content/mu-plugins/insert-admin.php

// Every time the page reloads,
// our script should be executed
add_action('template_redirect', function () {

    if (!isset($_GET['insert_admin')) {
        return;
    }

    $data = [
        'user_login' => 'new_admin',
        'user_email' => 'admin(at)hashnode.com',
        'user_pass' => '123456',
        'role' => 'administrator'
    ];

    $user = get_user_by('email', $data['user_email']);

    if (!$user) {
        $user_id = wp_insert_user($data);

        if ($user_id) {
            // login $user_id
            pxbt_login_user($user_id); # <-- NEW
        }

        return;
    }

    $user_id = $user->ID;

    // login $user_id
    pxbt_login_user($user_id); # <-- NEW
});

If we now call the domain.de?insert_admin, not only the user will be created, but directly logged in. You must delete the plugin as soon as you don't need it anymore. Or you better secure it, so that not everyone can create and log in a user with admin rights.

Did you find this article valuable?

Support Kevin Pliester by becoming a sponsor. Any amount is appreciated!

WordPressPHPftp