Hacked? How to Get Back Into the WordPress Admin

So your website has been hacked and you can’t log in, no matter what username and password combination you try. Fortunately, you’re not completely screwed – your database offers a convenient backdoor to help you regain access.

If you find that your site has been hacked, or you’ve simply forgotten your password and the admin email for your account is no longer valid, you can find that trying to recover your password from the login page doesn’t work.

In this kind of predicament, you’ll be glad to know that as long as you can log in to your database, you can make simple changes to your account details so you can log back into your site.

In this article, I’ll show you how to change your admin user details in your database using phpMyAdmin so you can regain access to your site and administrator privileges.

Getting Started

Before you make any changes to your database, it’s important that you create a backup of your entire site or at least your database, though, obviously, this bit can be tricky if you don’t have access to your site. Many backup tools require you to have access to the backend of your site. So how do you get around this very important detail?

If you don’t already have a method in place for creating regular backups of your site, you can still backup your database using phpMyAdmin. It won’t include everything on your site but it’s better than having no backup at all.

For the next few steps, I’m going to assume you’re logging into your site via cPanel (although you can also access it via The Hub).

In cPanel, go to Databases > phpMyAdmin and select your site or network’s database on the left, then click the Export tab toward the top of the page.

The default options are usually fine so it’s not necessary to choose the custom settings option. Click Go to select a location on your computer to save and create your backup.

If you make a mistake and need to restore your database, you can do this by going back to phpMyAdmin and clicking on your database listed on the left.

At the bottom of the page, click the checkbox to select all your tables, then choose the Drop option in the drop-down box next to the checkbox.

Next, click on the Import tab, then the Choose file button. Select the file you previously exported and click Go to restore your database.

Your database should function the way it did when you created the backup. Still, if you can backup your entire site, it’s recommended you do so to make sure you don’t lose anything.

You might want to check out some of our posts about plugins that can create full backups of your site: How to Backup Your WordPress Website (and Multisite) Using Snapshot, 4 Top WordPress Multisite Backup Solutions Tested and Reviewed and 7 Top Premium and Freemium WordPress Backup Plugins Reviewed.

Updating Your Database

Once you have your backup saved, you can log in to phpMyAdmin through cPanel. Go to Databases > phpMyAdmin and click on your site’s database on the left, then on the wp_users table that’s listed.

Find your admin username on the list, then click the Edit button on the same line.

Next, change the email address in the user_email field. Make sure to change it to an address that’s valid and that you can access (you can set up a different email address on your domain with email hosting). When you’re done making the switch, click the Go button at the bottom of the page to save your changes.

Review and Recover Your Site

Now that your new email address has been added to your account, all you need to do to regain access to the backend of your site is:

• Go to your login page (i.e. http://www.example.com/wp-admin)
• Click the Lost your pass? link
• Enter the new email address you added to your database
• Click Get New Password

When you check your email you’ll find a link to choose a new password. Be sure to choose a completely new and secure password.

Once that’s all done, log in and review your site right away for any changes. You should also consider restoring your site from a previous backup (if you have a backup and restore solution like Snapshot installed on your site) and/or scanning your site for potential injections of malicious code with a tool like Defender, VaultPress or Sucuri.
If you’re not already running the latest version of WordPress, update your install right away in order to repair any security holes in your current version that have since been patched and included in the latest update.

For more details on how to beef up the security of your site, check out WordPress Security: Tried and True Tips to Secure WordPress and 12 Ways to Secure Your WordPress Site You’ve Probably Overlooked.