Call for a Free Website Security Review (619) 479-6637     Hack Repair Testimonials Read more five star service reviews?

Website Malware andHack Repair Services

"Repairing Hacked WordPress Websites since 2012"

How-to

How to add a new WordPress user without logging into WordPress

| | 10 Comments

When I’m unable to log into Wordpress I use one of these two techniques to add a new user to WordPress.

Technique #1
Adds a user to WordPress via FTP. This one’s been known as far back as 2011. George Stephanis posted an article on the subject, and it still remains relevant today.

Simply add the below code to your active WordPress theme functions.php file, then visit the site to inject the new user and password into the database.

This will instantly create a new admin user.

Just remember to remove the below code from your functions.php file once you’ve verified the new username and password is working nicely.

function add_admin_acct(){
$login = 'yourusername';
$passw = 'yourpass';
$email = 'youremail';
if ( !username_exists( $login ) && !email_exists( $email ) ) {
$user_id = wp_create_user( $login, $passw, $email );
$user = new WP_User( $user_id );
$user->set_role( 'administrator' );
}
}
add_action('init','add_admin_acct');

Obligatory disclaimer: Make a backup of your database beforehand. Oopsy!

 

Screen capture example (code above inserted in yellow below):

Functions.php method of sdding a new WordPress user and password

 

The result after adding the code above to the functions.php. A new user created:

How to add a WordPress user using functions.php

Technique #2
Adds a user to WordPress via phpMyAdmin.

A method I use when phpMyAdmin is available. Simply log into phpMyAdmin and click on the database name shown in the left column.

Not sure what database your WordPress installation uses?
View the line within your wp-config.php file that looks like this:
define(‘DB_NAME’, ‘wp_mydb1’);

 

Along the top of the page you’ll see a line of tabs that look like this:The SQL Tab in phpMyAdmin

Just click on the SQL tab, and paste the below text into the box.

INSERT INTO `wp_users` (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_status`)
VALUES ('yourname', MD5('mysecretpassword'), 'firstname lastname', '[email protected]', '0');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) 
VALUES (NULL, (Select max(id) FROM wp_users), 'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) 
VALUES (NULL, (Select max(id) FROM wp_users), 'wp_user_level', '10');

 

With text entered and edited click the GO button to create a new user.

You probably should change the text in red before slamming that GO button.

Then log into WordPress as usual with your newly added yourname and mysecretpassword.

That’s it – Enjoy!

 

 

We fix hacked websites
Looking for other options to change your WordPress password?

See the HackGuard.com how-to, “How do I reset my WordPress password?

 

How Do I Prepare My WordPress Website for an SSL Certificate?

| | 4 Comments

So Google says, “HTTPS is now a ranking signal”, and you’ve just installed your SSL certificate, then checked it against the SSL Checker or JitBit SSL Checker. That was the easy part.

So, now you are just about ready to flip the switch for SSL by updating your website address within the WordPress settings, right?

Stop!Hands up!
Stop right there!

Update WordPress SSL Settings here
WordPress -> General Settings


Configuring and preparing a WordPress site for an SSL certificate may require a few more steps than simply installing and updating your WordPress “General Settings” URL.

Below is what I learned after dedicating several hours setting up my own SSL certificate. I hope you’ll find this WordPress SSL setup guide helpful.

 

Numero 1

Before changing the URL within your dashboard…

jump over to this website, https://www.whynopadlock.com and test your domain name, like https://atyourdomain.com

If you are lucky,  your website will show a nicely closed lock in your web browser location bar and you’ll be all set. If not, make a note of the dreaded “mixed content” errors and see the notes below.

Mixed content errors are simply URL’s which you’ve included within your page or script that explicitly link out to https:// (a non-secure link). That’s a no-no where SSL is concerned. And the result is that dreaded broken padlock you’ll see to the left of your URL within your web browser’s location bar, which appears like this image to right: The broken lock appears with mixed content on a page

Stop!  Be sure to disable all caching related plugins or settings first.

To fix most mixed content errors, install and run either the Better Search Replace or WP Migrate DB plugins to search and replace all references to https://atyourdomain.com with https://atyourdomain.com

If you not comfortable with editing your database,install and run either of these plugins, SSL Insecure Content Fixer or Really Simple SSL. Either of these plugins should help to correct those mixed content errors that might otherwise cause your website’s pages to throw up SSL errors.

 

Numero 2Managing the 301 Redirect via Plugin or .htaccess

Updating your internal links to https:// will not automatically notify the search engines of your change to a secure URL. This is where a 301 redirect is required. Without a 301 redirect, it may take a long time for the search engines to properly index your newly set https:// website address.

So after ensuring all links within your site “redirect” to your new https:// address appropriately, see the 301 redirect instructions below.

On my personal website, the WordPress plugin I tried was not enough. My domain at https:// was still not redirecting to https:// as expected, so I had to add the text below to my .htaccess file in order to force the redirect:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Alternatively, try:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://atyourdomain.com/$1 [R=301,L]
  • Remember to replace atyourdomain.com with the www or non-www version of your domain name.

 

Quick SSL Setup Recap
– Update your database from https://atyourdomain.com to https://atyourdomain.com using any of the above search and replace plugins.
– Update your .htaccess to the above settings.
– In 90% of cases that’s all you should need to do.

 

Numero 3

Hopefully, number one and two above were enough to both fully close the lock and redirect your domain.

If not, you may need to remove the remaining not-secure “https://” references within your posts, pages, widgets, and CSS stylesheets. Most of the local linking stuff is pretty easy to fix. I’ll cover the tricks that worked best for me below.

Do you know the difference between relative (implicit) and absolute (explicit) links?

Relative or implicit links are those like <a href=”index.htm”, while absolute or explicit links are those like <a href=”https://your_domain/index.htm”.

Suffice it to say, where SSL is concerned steer toward relative links and you’ll be a happier camper.

Now, what about external links to Youtube.com, and other 3rd party services within posts or CSS you may ask?
This is where the pain often begins. All embedded links, be they internal or external, must not appear as https:// (a non-secure link).

Allowing external embedded links to remain as, for example: https://youtube.com will present your visitors, at best, a broken padlock in the URL bar, or worst, a nasty message alerting your visitors against visiting your web page.

Luckily, there is a little trick that may work in many cases to tame the non-secure SSL beast. And behold the wonder: I’ll use Google fonts as an example:

Replace:
href=”https://fonts.googleapis.com/css?family…
with
href=”//fonts.googleapis.com/css?family…

Note how you may replace “https://” with “//”. Cool, huh?
This little trick will trick the visiting browser into not reporting your bad mixed-content habits to everyone who visits your site.

If none of this makes sense to you, we have an app for that. This plugin may help to “correct” the http:// references, Protocol Relative Theme Assets.

Once you’ve resolved those pesky mixed-content errors, do a final test using the Why No Padlock site, then go for it!

Word to the wise, after you do the switch to HTTPS remember to double check every page on your website, especially your order and contact forms. Good luck!

 

Numero 4

Other SSL related recommendations?

 

Be sure to make a recoverable database backup before making URL changes to your WordPress database.

Plugins like UpdraftPlus Backup and Restoration and BackupBuddy have nice rollback features that may come in handy while testing your transition from https:// to https://

Don’t forget to check any XML sitemaps you may have installed within your public directory for search engine consumption.

What if I can’t remove all of the mixed content messages?

If you find you can’t remove all of the mixed content messages, it’s not a total loss. You may still use SSL for your WordPress dashboard. That’s still a big bonus and highly recommended by many website security professionals. Once you log in, just ignore or approve the mixed content alert and you’ll be all set. Your connection will still be encrypted nicely, mixed-content messages be damned. To force the use of a secure dashboard connection simply add this line of code to your wp-config.php:

define('FORCE_SSL_ADMIN', true);


What’s this “Upgrade Insecure Requests” thing?

Since writing this article, more browsers have begun supporting a way to automatically upgrade https:// URLs to https:// in order to solve the mixed content problem.

This new “Upgrade Insecure Requests” option may be integrated into your website by simply adding the tag below into the <head> section of your pages:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

 

+ Did you find this useful?
Please share your experience in switching your site to SSL in the comments below. Or feel free to share this article with others who may benefit. This is a living document and will change over time as I learn better methods and procedures.

Alternately, if you are finding this a bit overwhelming and need help, just contact me using the chat link at bottom-left of this page. And I’ll do my best to get your SSL certificate working nicely on your website today.

 

“A thing done well is rarely done alone.”
And many thanks to the following good folks for help in proofreading and technical assistance: Laird Sapir @lairdsapir, Mike Dudas @tvcnet, Kate Ryan-Taylor @bebloodyawesomeDave McHale @thedavetheory, Paul Thompson @thompsonpaul, and others.

 

How to install your WordPress website on to your Apple Mac Computer

| | Leave a Comment

In this WordPress video tutorial I will describe how to setup and copy your WordPress website on to your Apple Mac computer, such that you may edit your WordPress website offline.

You will need to review the following to complete the move of your WordPress blog to your Apple Mac:
https://serverpress.com/downloads/
https://wordpress.org/plugins/wp-migrate-db/
https://wordpress.org/plugins/adminer/
And a copy of your blogs /wp-contents directory from your hosting company.