What to Do When WordPress Is Hacked and Can’t Log In

Why have I been logged out of WordPress?

In order to combat hacks on your WordPress website, it is important to understand how they gain power over your website. Every day, new vulnerabilities are found in WordPress plugins, themes and servers that host websites. These vulnerabilities can potentially give hackers the ability to run arbitrary code on your website.

Some of the most common exploitations associated with WordPress give hackers administrative access to your WordPress dashboard. This gives them the ability to add, remove and revoke privileges for existing users.

After your website has been hacked, you may find yourself logged out of WordPress entirely with no way to get back in. Fortunately, you can still gain access again. For fixing your hacked WordPress website, either read on or ask us for help. As experts in WordPress security, we will be able to get your website fixed in no time!


Creating an admin account via MySQL

Your WordPress website is connected to a database which stores posts, pages, products and users. By interacting with this database, you can manually create a user with administrative access and regain access to your site.

1. Log into your website’s control panel 

Most popular web hosts use either Plesk or cPanel. If you are unsure, contact your hosting provider.

2. Access phpMyAdmin

Click the “Databases” category and find the icon that says “phpMyAdmin”. Click it to open in your browser.

3. Confirm that the database is linked to WordPress

The left sidebar may include one or more database names. You can find out the name of your website’s database by opening the wp_config file in your website’s root directory and looking for the line that says “define(‘DB_NAME'”. Below is an example.

define('DB_NAME', 'example-database');

4. Paste SQL code to create a user

Back in phpMyAdmin, locate the SQL tab. It should site between the ‘Structure’ and ‘Search’ tabs. Click the tab to bring up a field where you can run SQL queries. In the box, paste the following code:

INSERT INTO `wp_users` (`user_login`, `user_pass`, `user_nicename`, `user_email`,
VALUES ('example-user', MD5('example-paasword'), 'firstname lastname', 'email@example.com', '0');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`)
VALUES (NULL, (Select max(id) FROM wp_users),
'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`)
VALUES (NULL, (Select max(id) FROM wp_users), 'wp_user_level', '10');

  • Replace example-user and example-password with your desired username and password.
  • Replace email@example.com with your email.
  • Click “Go” to run the query and create a new user.


5. Log into WordPress

Head over to your WordPress site’s login page and use the details you entered above to log back in.


Secure your website to prevent future hacks:

Once you are logged back into your WordPress site, your first priority should be to regain control of your WordPress site. Follow these tips to keep people out of your website:

  • Remove any new users – Enter the “Users” section of your WordPress site and look for any suspicious accounts. The hacker may have created a new account with administrative access to make changes to your site. Be sure to change the password on all existing administrator accounts as well.
  • Update or disable any vulnerable plugins – By keeping your plugins up to date, you are keeping your site safe from dangerous vulnerabilities. You should also check out this site for news and information about recent plugin vulnerabilities that have been discovered.
  • Update your hosting – By changing the login and SSH information for your hosting provider, you can prevent hackers from accessing your files and database.
  • Get your website checked – We offer accurate WordPress security checks which can quickly detect vulnerabilities and malicious code in your website. Enquire now or learn more about our super secure WordPress hosting.