As a webmaster with 15 years of experience running WordPress sites, I‘ve seen firsthand how dangerous a compromised admin account can be. That‘s why I want to share tips to help you regain access securely if you ever lose it.
Adding an admin user through FTP seems quick and easy, but it can also leave your site vulnerable if you don‘t follow best practices. In this post, I‘ll walk through the steps to add a new WordPress admin via FTP, along with my expert advice for keeping your site truly secure.
Contents
When You Should Use the FTP Method
The FTP process for adding an admin lets you edit WordPress files directly on your web server. Here are some cases when it can be your best option:
- You lost your admin password or get locked out of the dashboard.
- Your admin account was deleted or hacked.
- You don‘t have access to the database via phpMyAdmin.
However, there are more secure ways to add admins if you do have database/server access:
| Method | Pros | Cons |
|---|---|---|
| FTP Editor | – No database access needed – Fast and easy |
– Less secure – Temporary solution |
| phpMyAdmin | – Robust database management – Create user from dash after |
– Requires database access |
| wp-cli | – Automated user creation – Available via SSH |
– Command line tool – Advanced users |
As you can see, the FTP method is quick but should only be temporary.
Why FTP Admins Are a Security Risk
In my 15 years running WordPress sites, compromised admin accounts have been the most common source of security issues. Here are some real-life examples I‘ve encountered:
- Brute force attacks – Over 1 million login attempts until password guessed.
- Phishing – Admin tricked into entering password on fake login page.
- Weak passwords – Easily guessed password like "password123" hacked in hours.
Adding new admins via FTP bypasses WordPress security checks. And leaving extra admin accounts lying around gives attackers more opportunities to break in.
That‘s why I only recommend using the FTP method to regain access in an emergency. The new admin account should be locked down and the FTP code deleted soon after.
Step-By-Step: Add Admin User with FTP
If you do need to use FTP to add an admin, follow these steps:
1. Connect to FTP
Use a free FTP client like FileZilla…
2. Download functions.php
Navigate to /wp-content/themes/your-theme…
3. Open in Text Editor
I recommend Notepad or TextEdit…
4. Add Admin Code
Paste this and update with your details:
function wpb_admin_account(){
$user = ‘YourUsername‘;
$pass = ‘YourPassword‘;
$email = ‘[email protected]‘;
// more code
}5. Upload Updated File
Save changes and upload edited functions.php to replace old file.
6. Login with New Admin
Visit /wp-admin and sign in!
Locking Down Your New Admin Account
Once you‘ve regained access, there are a few best practices I recommend based on my experience:
Use a secure password – Enable two-factor authentication and use a password manager.
Change your admin username – Don‘t use "admin". Choose a unique username.
Limit login attempts – Install a plugin like Limit Login Attempts to prevent brute force attacks.
Delete the FTP code – Remove the admin creation code from functions.php.
Audit plugins and themes – Make sure no vulnerabilities are exposed.
Monitor activity – Check login records and site changes regularly for suspicious activity.
Following these tips will help ensure your new admin account stays locked down. Let me know if you have any other questions!
