cc licensed ( BY NC SA ) flickr photo shared by amanda tipton

Understanding some of the database structure of wordpress can help you out of some jams. Ot maybe make some new ones.

I had a recent situation that may never happen for someone else, but knowing something about the way WordPress stories user account information shortcutted a problem.

The situation is a client who hired me to move their web site, and help create a new design. The first part has taken much longer than expected because the person who managed the site was rather… tightfisted with control. The ftp information provided never worked. The client who the site belonged to did not even have admin access to their own site, so they could not even make me an admin account. But I was provided the login to phpMyAdmin.

And that is all I needed.

The basic thing I was able to do was (a) change the client’s account so it would be full admin; (b) temporarily change the client’s password to one I knew so I could log into the site (I strongly encourage clients not to send my their password); (c) made myself an admin account; and (d) revert the client’s password.

What I did first was log into phpMyAdmin for one of my own web sites; in the wp_users table, I found the encrypted string for my password, and made note of my userid, say 3 (the key that identifies each user, an integer). I then looked in the wp_usermeta table, and found the rows associated with my userid, looking for the values of wp_user_level and wp_capabilities. So I made some notes:

my blog
userid = 3




This lets me know what I need to change in the other blog to make the client’s login to be admin. Let’s say the client’s username is “batman”– in their site’s phpMyAdmin, I go to wp_users to find this account. Let’s say the user_d is 4. Make a note of that. I then copy batman’s current password (so I can restore it later), and paste in the string for the password I know (from my own blog).

batman's blog
userid = 4


Boom. I will be able to log in to batman’s account. Let me say that there is another way to generate the encrypted password. I can select “MD5” from the function menu, and enter the password I want to use- when it says, phpMyAdmin will convert that password to the encrypted string.

passwording mysql

I then go to the wp_usermeta table in Batman’s blog, and find the data for user_id=4. I note that it has these values



confirming that Batman only has editing privileges to their own blog. I change those values to the ones I copied from my own admin account.

Boom. I can now log in to Batman’s site, and confirm that they are now a full admin. I create a wordpress admin account for myself.

I can then go back to the database, and revert Batman’s password to what it was before.

All’s’ fair in love and databases.

This is just the beginning. For advanced level, see if you can understand the way wp_terms, wp_term_taxonomy, and wp_term_relationships work to manage tags and categories. Then tell me (just kidding, I know) (I think).

The post "Backdooring a WordPress User Admin Account" was originally squeezed out of the bottom of an old rusted tube of toothpaste at CogDogBlog ( on December 29, 2013.

No comments yet.

Leave a Comment

All fields are required. Your email address will not be published.