Time to open my toolbox. There is one tool I pretty much use in doing wordpress support. It’s called WP Access All Areas and exists for the sole purpose to get administrative access to a worpdress blog by uploading a PHP file via FTP. It’s there to handle this task quick and with ease.
I made an announcement over there at Yoost’s Blog in comments to a post where he suggested the emergency.php tool to do something similar / related. So check out his tool as well if you like some alternative options.
Here we go:
WP Access All Areas
WP Access All Areas is a ToolPress user/password utility to gain access to a current installation. Created for support tasks in mind when zero-configuration quick access is what is needed. Has been created with WordPress 2.8.4/2.9-beta.
It’s as easy as 1-2-3 if you have FTP access to a server (and a properly done hosting configuration): Copy the file wpaaa.php into the blogs root-directory and open it with your browser. You’ll be welcomed by the following screen:
The options are as simple as limited: Unlock or Remove. Let’s start with the first one, Unlock. You’ll get this after pressing it:
As the screenshot above is showing, a new user called JohnDoe with a random password has been created. The dashboard with administration rights is just a click of the Login button away (small thumbnail on the right). Yes, that easy it is. Clicking it will open the well known wordpress dashboard in a new tab. You do not have to type in the password to log in (but you can if you prefer).
So if you’ve done your job with administrative access (let’s say, you’re done), closing the can is as easy as opening it. Just press the Lock button and the just created user is deleted again. You’ll see the options from the first screen again: Unlock or Remove. So this time we choose Remove. This button could have been labeled Self-Destruct as well because it will delete the script from the server.
Job done and you’ve properly cleaned up afterwards as well. What do you want more?
Is this safe?
This is a good question – you’re asking the right one! WPAAA.PHP has some safety pre-cautions build in because it’s a pretty powerful tool as you might have guessed. It will automatically reveal a blogs database connection and create a user inside the blogs user db-table with administrative rights. If you upload it to a server, be sure to be the first one who requests it. Because with the very first request, it will automatically lock-down itself. It is then protected from getting requested. Other (probably malicious) requests will be answered with a gone message. FYI, that’s http code 401. So unless you do not leave this unrequested on a server, you should be pretty safe.
Pros and Cons
Pros. This tool comes in handy when you’ve got the FTP access and you do not want to contact the client for the wordpress username and password to just check something. A plus compared to other tools is the easy and fast usage including that lock-down mechanism and its simple click admin interface. Get the job done fast. Time is money – or usability just pays.Cons. Good question because I use it quite often with success, I can not say that much bad things about it. So what’s good to know of limitations? First of all, the file size is not that small. You better have a stronger pipe for upload (but that would pay for support anyway). On the one hand it is nice that it ships with everything in one file, including stylesheets and images (hey this is Cons not Pros hakre!) this comes with the price of the filesize, about 65kb (okay, that’s a con). Then this is PHP 5.2 (okay, not a real a con as well) but it is somehow experimental code and therefore bloated and not optimized down to its bones. It feels kind of written and then development has stopped after major goals have been achieved. So it is not perfect.
Another Cons might be that it must match with a certain pattern of PHP / Server configuration. The user that is running the script must be able to change / write to the file. That’s needed for the lockdown mechanism. Gladly it’s suggested for wordpress updates to match that exact setup. So if that is not supported, it will just show the gone message. That’s good security wise but it just shows that it does not work under certain conditions. In that case, it’s needed to enter the lockdown code manually into the file and as request parameter. Then it’s good if you have a “working copy” at hand so that you can copy and paste from it.
I use this tool to get access to wordpress installations where customers did not provide a username and password to log into the wordpress backend. That might be because they forgot providing those credentials as well, I had not asked for them specifically or they just made an error when providing the information. Communication with customers always takes its amount of time, so having multiple options plays very well here. ToolPress WP Access All Areas helps me to get the job done fast – so it’s just worth to share. If you think about adding an admin user to a wordpress installation by hand, try wp access all areas. This is exactly what it does.
It’s shared under a free AGPL 3.0 license. It has a build-in file browser and is easy to download (view source) from any host it is copied to. Clever, right? Try it out and share your thoughts here in comments if you like. Hopefully this is a tool you like to help your friends, clients and neighbors. We’re into this to make things better even in this imperfect world. Spread the word.