Sometimes the Joomla site owners get a bit paranoic after a time, due to lot of hype about site security. Basically is nothing wrong with, a good site security is based on keeping your accounts secure. But what about when you are hired to do something in a Joomla site and you got ALL access (including FTP and database access) but you discover, that the Joomla account you received is only an Administrator. You can do a lot as an Administrator - but often not enough! Don't tell me, that this never happened to you - unless you are a Joomla rookie. What you can do?

Obviously you can ask the site owner to upgrade your account to Superadministrator. If he/she is reacheable....

Or, use your FTP/Database access, and solve your problems single-handed. Let me show you how you can do it using the phpMyadmin! The solution via FTP is based on exactly same knowledge!

First, some know-how: how the Joomla access control looks like in the database!

The access data needed to create a Joomla Super Administrator (generally - a Joomla user) is stored in couple of database tables. For simplicity, I use the once default "jos_" table prefix - don't use that on your site!!

The tables involved are different for different Joomla versions. Here are the ones used in Joomla 1.0 and 1.5:


In the "jos_users" table the main user related data is stored, the other two tables are in fact controlling the user's access levels. The tables are interlinked, so you must be aware of that, the records must be in sync for the new account to be usable! Also, passwords are stored MD5 encoded, so if you made the changes using SQL queries (can be done by inserting new lines in the tables using phpMyadmin tools - that case is a bit different) you need an online MD5 encoder to generate an encoded version of password. I use a plain simple password I once encoded - and I change it immediately after the first login!

What else you need? yeah, you need couple of other things too, like what Joomla version you have and what is the last used UserID in the database. For the Joomla version the choices are simple at this moment, pre-Joomla 1.7 - so Joomla 1.0 or 1.5 - or newer. For last used UserID you can simply look at the "jos_user" table, and figure that out.

Joomla 1.0 and Joomla 1.5

In these earlier versions the default Super Administrator has the UserId set to 62, so you precisely need to use something bigger. The SQL query will look like:

INSERT INTO `jos_core_acl_aro` VALUES (13, 'users', '65', 0, 'Your Name', 0);
INSERT INTO `jos_core_acl_groups_aro_map` VALUES (25, '', 13);
INSERT INTO `jos_users` VALUES (65, 'Your Name', 'your_username', 'This email address is being protected from spambots. You need JavaScript enabled to view it.', 'f9451cee0c57d483d91bb611ae677999', 'Super Administrator', 0, 0, 25, '2006-06-07 00:48:25', '2006-12-13 06:15:19', '', 'editor=\nexpired=\nexpired_time=');

Some explanations: in the above queries 13 is the first usable "id" in the "jos_core_acl_aro" table, "65" is the first usable "id" in the "jos_users" table. The "jos_core_acl_groups_aro_map" table maps the newly crated user to the core ACL table's corresponding settings. In the last line of the query "25" is the group "id" for the Super Administrator group in the "jos_core_acl_aro_groups" table - this is generally is on the default value, but there are some components wich might manipulating/changing it, so worth checking, and the two timestamps are the registration and last visits dates respectively - both can be any valid timestamps from the past. What else need to be mentioned there??? Ah, yes, the string beginning with "f945" - it's the MD5 encoded password. You can generate one for you for example here.

Joomla 1.7 and newer

The database tables used there are a bit different:


As you can see, on newer versions the database is somehow simpler. The "jos_user" table holds approximatively the same info as the one was held in 2 tables, "jos_users" and "jos_core_acl_aro" in the earlier Joomla's, and the "jos_user_usergroup_map" have the similar function as the "jos_core_acl_groups_aro_map" has - to map the users to the usergroups held this time in the "jos_usergroups" table. All you should know about that table in this moment, that the SuperAdmin group is the one with "id" set to 8 by default. But as always, you should check that, if not was overridden. It can happens much often in newer Joomla's.

The query you should use is simpler, of course. You still need to check, what is the first available ID in the "jos_users" table. On these Joomla versions the default Super Administrator, created during install is set to 42 -so you should expect to find a value greater than that.

INSERT INTO `jos_users` (`id`, `name`, `username`, `email`, `password`, `usertype`, `block`, `sendEmail`, `registerDate`, `lastvisitDate`, `activation`, `params`, `lastResetTime`, `resetCount`) VALUES
(62, Your Name', 'your_username', 'This email address is being protected from spambots. You need JavaScript enabled to view it.', 'f9451cee0c57d483d91bb611ae677999', 'Super Users', 0, 1, '2011-11-30 03:57:21', '2013-09-17 09:58:21', '', '{}', '0000-00-00 00:00:00', 0);
INSERT INTO `jos_user_usergroup_map` (`user_id`, `group_id`) VALUES(62, 8);

What is different here? Not too much. The format of the password stored in the database is very different, usually is something like "7bea9a8ac848a4c6da429b1515aa61ff:IGN159L1qGHdAVucvLuE34pxy14T02X9" - but don't worry, the good old trick wich worked in Joomla versions prior to 1.7 is still working there ;), but on first touch will be changed to the new version - so you can reuse the old MD5-hash. You can remark another change too, the {} value in the "params" field. The user's parameters (and many other things in the new Joomla) are stored in a JSON strings. These include the backend template used, the users preferred language and lot of other things. And empty JSON strings means using the site's defaults - this variable will be also correctly filled after the first successful login.

That's it! Now you know how to create using a new Joomla super Administrator using PHPMyAdmin. The knowledge above is also can help you to change the access level for an existing user: to do that, you need only to change the mapping info. And what about using your FTP assets? Easy: create a PHP file which uses the above information, loads the configuration data, and does the database changes. Should be easy for a seasoned Joomla programmer. And maybe sometimes I will have the time to post there a sample code doing that!

A final warning

As you can see, letting any access info of your Joomla site in wrong hands can be deadly - someone can use even tha partial information to wreak havoc in your site. So, keep that powder dry, and the paranoia level (or security level, if you like ROTFL) high!

Category: Configuration tricks