How To Add An Admin User To The WordPress Database Via MySQL

Open your hosting control panel (cPanel, Plesk, or your host’s custom dashboard) and click phpMyAdmin. If you’re on a managed host like Kinsta or WP Engine, you’ll find phpMyAdmin access within their site dashboard.

Once you’re in phpMyAdmin, look at the left sidebar for a list of databases. Click the one associated with your WordPress site. If you’re not sure which database your site uses, open your wp-config.php file (in your site’s root folder) and look for the DB_NAME value; that’s your database.

With the database selected, you’ll see a list of tables. Most WordPress installations use the default wp_ prefix, but some use a custom prefix chosen during installation. If you don’t see wp_users, look for a table ending in _users; that’s the one you need. If you’re unsure of your prefix, open wp-config.php and look for the $table_prefix variable.

Click on the wp_users table (replace wp_ with your custom prefix if needed) and click the Insert tab at the top. Fill in each field as follows:

ID: Pick a number not already in use. Scroll through the existing rows to find the highest ID, then use the next number up.
user_login: The username for your new admin account. Keep it simple and unique.
user_pass: Your password. In the Function column next to this field, select MD5 from the dropdown. WordPress stores passwords as hashed values, and selecting MD5 here handles that automatically. On your first login, WordPress will upgrade the hash to a stronger format.
user_nicename: A URL-friendly version of your name: lowercase, hyphens instead of spaces (e.g. john-smith).
user_email: The email address for this account.
user_url: Optional. Your site URL or leave it blank.
user_registered: Today’s date and time in this format: 2026-05-20 12:00:00
user_activation_key: Leave blank.
user_status: Set to 0 (active).
display_name: How your name appears publicly on the site. Can match user_nicename or be your full name.

Click Go to save. Write down the ID you used; you’ll need it in the next step.

Click on wp_usermeta in the left sidebar (again, substitute your custom prefix if needed) and click the Insert tab. You need to add two separate rows to grant full administrator access.

Row 1, Capabilities:
umeta_id: Leave blank (auto-generated).
user_id: The same ID you used in Step 2.
meta_key: wp_capabilities (or yourprefix_capabilities if you have a custom table prefix)
meta_value: Paste this exactly: a:1:{s:13:"administrator";b:1;}

Click Go, then click Insert again to add the second row.

Row 2, User Level:
umeta_id: Leave blank.
user_id: Same ID as above.
meta_key: wp_user_level
meta_value: 10

Click Go. The wp_user_level value of 10 ensures compatibility with older themes and plugins that check this field when determining admin access.

Now try logging in to WordPress with the username and password you created in Step 2. If it works, move on to Step 4 to finish the setup.

Once logged in, go to Users in the WordPress admin sidebar and click on your new account. Scroll to the bottom and click Update User without changing anything. This prompts WordPress to rebuild the user’s capability data in its own serialized format, replacing the raw database value you inserted with a properly structured version.

While you’re in the Users section, review all existing accounts. Delete any unfamiliar usernames; attackers often create backdoor admin accounts alongside the damage they do. Then go to Settings > General and confirm the admin email address is correct.

If a hacker deleted your account, treat the entire site as compromised and complete this checklist before doing anything else:

• Change your database password: In cPanel or your host dashboard, regenerate the MySQL user password and update the DB_PASSWORD value in wp-config.php immediately.
• Scan for backdoors: Install a security plugin such as Wordfence or Malcare and run a full scan. Attackers frequently plant PHP backdoor files in wp-content/uploads/ or rename them to look like WordPress core files.
• Rotate all passwords: Change your hosting account password, your FTP/SFTP credentials, and any email accounts associated with the site.
• Check file modification dates: Via FTP, sort files by modification date. Any PHP file modified around the time of the attack that is not a plugin or theme update is suspicious.

Finally, head to Dashboard > Updates and apply any pending WordPress core, theme, or plugin updates. A site that was successfully attacked almost always had an unpatched vulnerability; staying up to date is the most effective way to prevent it from happening again.