Andreas Hecht July 14th, 2016

Hacked? Retrieve Access to Your WordPress Backend

Hacked? Retrieve Access to Your WordPress Backend
One day, you wake up and realize that your WordPress got hacked. Maybe the landing page shows a skull and mocks you, as you may have made a mistake allowing the hacker to access the page. Now, you have a real problem, because no matter what username and password combination you try, you just won't get back into your website's admin area. Stay calm; we have a solution to that as well. Of course, the trick that I'm about to show you will also work for forgotten access information. Whatever the problem may be, and for whatever reason, you don't have access to the admin account, it can be solved. If you don't have any website backups to restore, you need to fix the problem differently. However, if you have a good backup strategy, your website will be recovered with just a few clicks. If not, proceed as follows:

Setting Up New Access Information in phpMyAdmin

In about 98 percent of all cases, a hacker will not want to, or be able to compromise all areas of a website or a server. Thus, you'll always have access to phpMyAdmin, including your database used by WordPress. If you don't have access to your server or web hosting package anymore, contact your hoster's support. In case you forgot, you're able to find the access information in the wp-config.php. Use this access information to log into your phpMyAdmin interface. Then, choose the right database, if you happen to have multiple websites. Now create a manual backup of your database, allowing you to import it again later on if you happen to make a major mistake in the following work. [caption id="attachment_76944" align="alignnone" width="660"]backup-datenbank First: Always create a backup.[/caption] Now, it's time to go to the bone. We will set up new access information in the database, so that you get your access back fast, and restore your website.

Placing New Access Information in the Database

Click the table wp_users on the left. Please keep in mind that your table could also be named differently when using a database prefix other than wp_. Maybe, the table will be called myblog_users instead. It's also possible to get that information from the wp-config.php. In the upper line, click the first menu item called "Display". Now, you'll see the user accounts and click on "edit" for one admin. [caption id="attachment_76945" align="alignnone" width="660"]Die User-Accounts in der Tabelle wp_users. The user accounts in the table wp_users. One click opens a larger view.[/caption] Next, place a working email address in the email field and save your data. Make sure that you have access to this email address, and that you can receive emails. [caption id="attachment_76946" align="alignnone" width="660"]Setze eine neue und funktionierende E-Mail-Adresse und speichere diese ab. Set a new email address and save it.[/caption]

Requesting a New Password

After you placed a new email address, you can log out of phpMyAdmin and call up your website's admin area with the following URL: Now, use the WordPress function for forgotten passwords. Click on "forgot password" and enter the email you just placed in the newly opened window. Neues Passwort anfordern. WordPress automatically sends you a new password to the email address you entered in the database. From that point, you have regained full access to your website, allowing you to remove it from malicious code. After you're able to log in again, please choose a safe password with at least ten characters, letters, numbers, as well as upper, and lower case letters. A proper password will make it a lot harder for future hackers to invade your website.

At a Word: the Right Backup Strategy

The entire procedure that you just had to go through was only possible because you didn't protect your website properly, or didn't keep it up to date. I know, it's tough to hear this. But it's the truth nonetheless. Nobody has just to accept that their blog got hacked. You can always do a lot to prevent it. Everything starts with the updates. Always keep your page, plugins, and themes up to date. This closes security gaps. Make sure to have an optimal .htaccess file that makes it almost impossible for hackers to get into your blog. Use a safe password. This will let you sleep a lot better in the future.

My Recommendation for Regular Backups

There's nothing more important than an excellent backup service. Yes, a service, not a plugin. A plugin requires expert knowledge and time when it comes to the recovery of a blog. On top of that, most plugins store backups on the same server they run on. I've been working with VaultPress, the paid service by Automattic, the company behind WordPress, for years. I'd like to recommend this service to you. For only 5 USD a month, you'll get daily backups that can be restored with one click. Your data is not saved on your server, meaning they are always available, even when your server is attacked. Additionally, VaultPress doesn't require the website's access information, but only the information for the (S)FTP access. You also get to choose what exactly you want to restore: the whole installation, including WordPress, or single files. [caption id="attachment_76948" align="alignnone" width="660"]VaultPress-Dashboard The VaultPress backups. A single click on "restore" will recover a backup.[/caption] For the registration and the conclusion of a contract, you need a account and a credit card, however, prepaid credit cards, like those by Number26, are also accepted. Further Information: (dpe) Image by Clker-Free-Vector-Images from Pixabay

Andreas Hecht

Andreas Hecht is a journalist and specialist for WordPress and WordPress Security. He roams the web since its inception. He has published an ebook on WordPress Security, which you might want to take a look at.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *