How to Get Back to Your WordPress Admin After a Hack
Discovering that your WordPress site has been hacked and you cannot access the admin panel can be unsettling. It disrupts your ability to manage your website, puts your data at risk, and may cause your visitors to lose trust. Hackers can exploit vulnerabilities in plugins, themes, or outdated core files, which means even a small oversight in maintenance can open the door to an attack.
When you lose access to your admin account, the priority is not only to restore control but also to ensure that the underlying security flaws are addressed. Quick, decisive action can help you limit damage, protect your reputation, and get your website back on track without compromising its long-term safety.
Identify the Nature of the Lockout
Before you start changing settings and restoring files, you need to know exactly what happened. Not all lockouts are the same. Sometimes, the hacker simply changes your password. Other times, they may delete your administrator account entirely, change the registered email address, or insert their own user account with admin rights. A quick way to assess the situation is to try the normal login process and see if you can trigger a password reset email. If no email arrives, it is likely they have changed the address on file. If the system says the account does not exist, your admin profile may have been deleted from the database.
In many cases, you will also notice other changes on the site. The homepage may be altered, there might be suspicious pop-ups, or parts of the design may look broken. You may even see evidence of malicious code in your theme or plugin files. These details will tell you how severe the hack is and whether you can proceed with a direct recovery or need to involve your hosting provider immediately.
Regain Access to WordPress Admin
Regaining access to your WordPress admin after a hack is rarely as simple as entering a new password. A determined attacker may have changed your email address, removed your account entirely, or created hidden administrator profiles. That means the recovery process must be tailored to the exact damage that has been done. The steps below take you from the least technical approach to more advanced solutions, so you can try them in order until one works.
Option 1. Resetting Your Password via the WordPress Login Page
This is the first thing you should attempt if your account still exists and the hacker hasn’t changed the email address associated with it. Visit your login page, typically found at yoursite.com/wp-login.php and click the “Lost your password?” link. This will take you to a reset form where you can enter either your username or the registered email address.
Once you submit the request, WordPress will attempt to send a password reset link to the stored email. If it arrives in your inbox, follow the link and set a new password. Make this new password long, unique, and difficult to guess. Avoid using anything similar to your old password since hackers often try slight variations to regain access.
If no email arrives, double-check your spam or junk folder. Still nothing? That usually means the hacker has altered your account’s email address, disabled your ability to send site emails, or deleted your account entirely. In that case, this method will not work, and you will need to move to a more technical approach.
Option 2: Changing the Admin Password Through phpMyAdmin
If the password reset option fails, the next step is to edit your admin password directly in the database. phpMyAdmin is the tool most hosting providers offer for managing databases, and it gives you direct access to the tables that store your WordPress user accounts.
Start by logging into your hosting control panel and locating the phpMyAdmin tool. Once inside, find the database that your WordPress site uses. If you have multiple databases, you can confirm the correct one by checking the wp-config.php file in your site’s root folder, the database name is listed there under DB_NAME.
Inside the correct database, look for the table called wp_users. Your table prefix might not be “wp_” if you chose a custom one during installation, but the name will always end in _users. Open this table and locate the row containing your admin username. Select the option to edit this row.
You will see a field named user_pass which stores your password in encrypted form. Delete the existing value and enter your new password, but before saving, change the “Function” dropdown next to this field to MD5. This step is essential because it tells WordPress to store your new password in the correct encrypted format. After saving your changes, you can return to the login page and enter your updated credentials.
If your account is missing from this table, it means the hacker has deleted it, and you will need to create a new one instead.
Option 3: Creating a New Admin User in phpMyAdmin
When your account has been removed, phpMyAdmin can still help you create a replacement. While still in the wp_users table, click the “Insert” option to create a new row. Fill in the user_login field with your chosen username, user_email with your own email address, and user_pass with your password. Again, be sure to set the password’s function to MD5 before saving.
The ID field needs to be a unique number not already used in the table, for example, if the highest current ID is 4, you can use 5. After saving, you have created a user account, but it doesn’t have admin rights yet.
To grant administrator privileges, open the wp_usermeta table. Click “Insert” and fill in the fields as follows:
user_idshould be the ID you just assigned to your new user.meta_keyshould bewp_capabilities(replace “wp_” with your prefix if it is different).meta_valueshould be:a:1:{s:13:"administrator";b:1;}
Save this, then add another row with:
user_idas your new ID again.meta_keyaswp_user_level.meta_valueas10.
Once you save both entries, your new account will have full administrator privileges. You can now log in through the normal WordPress login page and begin cleaning up the hack.
Option 4: Using the Functions.php Method to Create a New Admin Account
If phpMyAdmin is too intimidating or not available, you can use your theme’s functions.php file to add a new administrator account. Access your site files via your hosting control panel’s file manager or through an FTP client. Navigate to wp-content/themes/your-active-theme/ and open the functions.php file in an editor.
At the very top of the file, before any existing code, insert this snippet:
function add_admin_account(){
$user = 'newusername';
$pass = 'newpassword';
$email = '[email protected]';
if ( !username_exists( $user ) && !email_exists( $email ) ) {
$user_id = wp_create_user( $user, $pass, $email );
$user = new WP_User( $user_id );
$user->set_role( 'administrator' );
}
}
add_action('init','add_admin_account');
Replace the placeholder values with your own secure credentials. Save the file and then visit your website’s homepage. This will trigger the code and create the account. Once you can log in with this new account, immediately return to functions.php and remove the code. Leaving it in place would allow anyone who visits your site to recreate the account, which would be a security risk.
Option 5: Recovering Admin Access Through Your Hosting Provider
If none of these approaches are successful, or if the hacker has disabled database and file access entirely, you will need to contact your hosting provider. Explain the situation and request assistance in restoring admin access. Many managed WordPress hosting services have their own tools for creating admin users or restoring a clean version of your site from backups. They may also help identify the original security flaw so you can prevent future attacks.
If the hack severely damaged your theme or you decide to start fresh, you might want to create a new one tailored to your needs. Building a custom theme not only gives your site a unique look but also ensures you know exactly what code is running, reducing the risk of hidden vulnerabilities. You can follow this detailed guide on how to create a WordPress theme from scratch to design it step by step. Alternatively, if you prefer a faster route, you can explore a variety of free WordPress themes that are clean, responsive, and ready to install, helping you get your site back online quickly with a fresh design.
Remove Malware and Malicious Code
After regaining access to your WordPress admin, your next priority is to make sure the site is free of malicious scripts, hidden backdoors, or altered files left behind by the hacker. This process typically involves scanning your website using a trusted security plugin, checking for unauthorized user accounts, and replacing any modified core, theme, or plugin files with clean versions from their official sources. You should also inspect your database for injected code and remove anything suspicious. Even a single overlooked malicious file can allow the attacker to return, so a thorough cleanup is essential before restoring your site fully.
For a step-by-step walkthrough of this process, including detailed instructions on scanning, cleaning infected files, and securing your database, refer to our complete guide on How to Remove Malware from a WordPress Website. Following those instructions will ensure you not only remove the visible threats but also address any hidden vulnerabilities that could compromise your site again.
FAQs: Getting Back to Your WordPress Admin After a Hack
What should I do first if I am locked out of my WordPress admin after a hack?
The first step is to confirm whether the issue is caused by a hack or a technical error. Try resetting your password using the “Lost your password?” link. If you do not receive the reset email or your credentials are being rejected, check your hosting control panel or phpMyAdmin to verify if your administrator account still exists. If it has been deleted or modified, you can recreate it directly in the database.
Can I create a new admin account if my original one is gone?
Yes. Through phpMyAdmin, you can add a new user and assign it administrator privileges. This can be done by inserting a new row in the wp_users table and linking it to the wp_usermeta table with the correct capabilities. Once you log in with the new account, you can restore or repair the original one if needed.
What if the hacker changed my WordPress login URL?
Some hacks involve altering the login page address, often through a security plugin or by editing core files. If your normal /wp-admin or /wp-login.php address no longer works, access your site files via FTP or your hosting file manager, disable suspicious plugins, and restore the default login URL.
How can I disable a malicious plugin that is blocking admin access?
If you suspect a plugin is preventing you from logging in, go to your hosting control panel, open the file manager or connect via FTP, and rename the plugin’s folder in /wp-content/plugins/. This forces WordPress to deactivate it, which can restore your access.
What if my WordPress site keeps redirecting to another page before login?
Hacks sometimes add redirect rules in .htaccess or inject code in theme files to send you to a fake login page. To fix this, check the .htaccess file in your root directory for unfamiliar rules and replace it with a default WordPress version. Also review your theme’s functions.php file for any unexpected redirect code.
Can restoring a backup fix admin access issues?
Yes, if you have a backup from before the hack, restoring it can bring back your admin access along with a clean version of your site. However, you should confirm the backup is free from vulnerabilities that led to the hack in the first place to avoid a repeat compromise.
Should I contact my hosting provider if I cannot regain access on my own?
Absolutely. Many hosting providers have tools and support staff who can reset admin credentials, disable malicious files, and restore default WordPress settings at the server level. They may also have security logs that can help trace the source of the attack.
Regaining access to your WordPress admin after a hack is a process that requires speed, accuracy, and attention to detail. By acting quickly, securing your accounts, removing malicious code, and restoring from a safe backup, you can bring your site back under control. Strengthening your defenses with regular updates, secure design practices, and proactive monitoring will reduce the risk of another incident.
Build a Stunning Website in Minutes with TemplateToaster Website Builder
Create Your Own Website Now
This is a highly useful article to know what can be done when your website get hacked.
Also change the “nicename” ( I change it to a not so nice name) which for a while was a way hackers got your username ( by default they are the same) You an eliminate that problem ( and the nickname just by adding a space or characters to your username. It automatically shows up as an underscore in the DB.
Choose a user ID larger than 10, hackers will try to get your username by ID number but rarely go past ID 10. Chage that number in the user meta also.
Thanks for sharing Kathy.
Much needed for this information, I was facing this issue.
This was exactly what I needed. My site was hacked last month and I had no idea where to start. The phpMyAdmin tip for adding a new admin user worked perfectly.