Hacked? Retrieve Access to Your WordPress Backend
One day, you wake up and realize that your WordPress got hacked. Maybe the landing page shows a skull and mocks you, as you may have made a mistake allowing the hacker to access the page. Now, you have a real problem, because no matter what username and password combination you try, you just won’t get back into your website’s admin area. Stay calm; we have a solution to that as well.
Of course, the trick that I’m about to show you will also work for forgotten access information. Whatever the problem may be, and for whatever reason, you don’t have access to the admin account, it can be solved.
If you don’t have any website backups to restore, you need to fix the problem differently. However, if you have a good backup strategy, your website will be recovered with just a few clicks. If not, proceed as follows:
Setting Up New Access Information in phpMyAdmin
In about 98 percent of all cases, a hacker will not want to, or be able to compromise all areas of a website or a server. Thus, you’ll always have access to phpMyAdmin, including your database used by WordPress.
If you don’t have access to your server or web hosting package anymore, contact your hoster’s support.
In case you forgot, you’re able to find the access information in the
wp-config.php. Use this access information to log into your phpMyAdmin interface. Then, choose the right database, if you happen to have multiple websites.
Now create a manual backup of your database, allowing you to import it again later on if you happen to make a major mistake in the following work.
Now, it’s time to go to the bone. We will set up new access information in the database, so that you get your access back fast, and restore your website.
Placing New Access Information in the Database
Click the table
wp_users on the left. Please keep in mind that your table could also be named differently when using a database prefix other than
wp_. Maybe, the table will be called
myblog_users instead. It’s also possible to get that information from the
In the upper line, click the first menu item called “Display”. Now, you’ll see the user accounts and click on “edit” for one admin.
Next, place a working email address in the email field and save your data. Make sure that you have access to this email address, and that you can receive emails.
Requesting a New Password
After you placed a new email address, you can log out of phpMyAdmin and call up your website’s admin area with the following URL:
Now, use the WordPress function for forgotten passwords. Click on “forgot password” and enter the email you just placed in the newly opened window.
WordPress automatically sends you a new password to the email address you entered in the database. From that point, you have regained full access to your website, allowing you to remove it from malicious code.
After you’re able to log in again, please choose a safe password with at least ten characters, letters, numbers, as well as upper, and lower case letters. A proper password will make it a lot harder for future hackers to invade your website.
At a Word: the Right Backup Strategy
The entire procedure that you just had to go through was only possible because you didn’t protect your website properly, or didn’t keep it up to date. I know, it’s tough to hear this. But it’s the truth nonetheless.
Nobody has just to accept that their blog got hacked. You can always do a lot to prevent it. Everything starts with the updates. Always keep your page, plugins, and themes up to date. This closes security gaps. Make sure to have an optimal .htaccess file that makes it almost impossible for hackers to get into your blog. Use a safe password. This will let you sleep a lot better in the future.
My Recommendation for Regular Backups
There’s nothing more important than an excellent backup service. Yes, a service, not a plugin. A plugin requires expert knowledge and time when it comes to the recovery of a blog. On top of that, most plugins store backups on the same server they run on. I’ve been working with VaultPress, the paid service by Automattic, the company behind WordPress, for years. I’d like to recommend this service to you.
For only 5 USD a month, you’ll get daily backups that can be restored with one click. Your data is not saved on your server, meaning they are always available, even when your server is attacked. Additionally, VaultPress doesn’t require the website’s access information, but only the information for the (S)FTP access. You also get to choose what exactly you want to restore: the whole installation, including WordPress, or single files.
For the registration and the conclusion of a contract, you need a WordPress.com account and a credit card, however, prepaid credit cards, like those by Number26, are also accepted.