Change WordPress admin email without confirmation

When we’re building a new WordPress powered website one of the very first things we do in the setup process is create the first admin user. The email address associated becomes the main admin for the site. You can see this under Settings > General:

This address is used for notifications of WordPress updates and in our case, default Gravity Forms notifications. This is great during development, but what about once the site has gone live and you hand it over to the customer?

TL;DR: Update in the database

The WordPress way

WordPress implemented this change late last year in the 4.9 release and was done for security reasons. Here’s what was said during the announcement:

A few account security enhancements have gone into WordPress 4.9. The intention is to make it more difficult for an attacker to take over a user account or a site by changing the email address associated with the user or the site, and also to reduce the chance of a mistaken or erroneous change causing you to get locked out.

If you update the email from the WordPress admin area, the change is not immediately made. A series of emails are sent out and a confirmation link must be clicked:

Once confirmed, the new email address is set, and the previous email is sent a notification.

For most users, this is the preferred way to update the admin email account.

Updating without going through the confirmation process

We like to set the admin email upon launch to the site owner. Launch day is usually a pretty hectic affair and adding another request to the owner’s list is not always easy or a good idea. So here’s the simple way to do it without having them confirm:

phpMyAdmin to the rescue

Like many things, the WordPress MySQL database is a good place to go for changes. The WordPress admin email can be updated from the database as well. Here’s how:

  1. Log into the database. phpMyAdmin is a good choice.
  2. Locate the wp_options table.
  3. Near the top locate the admin_email option
  4. Edit the option_value field with the new email. This can be done either inline, or by editing depending on your version of phpMyAdmin
  5. Save your work if it wasn’t auto-saved

That’s it!

4 Comments


This is one of the more annoying updates to go into WordPress in many years. (Been working with WordPress since 2006)

It’s a nice idea, but WordPress’s email php program is not terribly reliable, especially on some host platforms.

This ends up creating a lot of work for no solid reason.

Reply

    Yes, it does feel like a brute force approach to security, much like a pat-down at the airport. I’ve never seen an attacker attempt to take over a site by changing the site admin this way. That said, it’s certainly possible to do and I have seen customers change the admin email by mistake. Until a better solution comes along, I’m okay with WordPress trying out security changes.

    I no longer bother the customer with an email volley on this. I’m in the database anyway and it’s a quick change.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

See if Cinch is right for you.

Ask us anything. Seriously. Like, what is the air speed velocity of an unladen swallow?

Start a chat right now

Or go ahead and Sign up now