diff --git a/controllers/admins.js b/controllers/admins.js
index 7d08e1b..a1398a3 100644
--- a/controllers/admins.js
+++ b/controllers/admins.js
@@ -1,4 +1,5 @@
 const User = require('../models/schemas/user');
+const bcrypt = require('bcrypt-nodejs');
 
 exports.createAdmin = (req, res, next) => {
     if (typeof req.body.email !== 'string')
@@ -53,6 +54,10 @@ exports.createAdmin = (req, res, next) => {
     if (req.body.hash)
         userData.hash = req.body.hash;
 
+    // hash pw, since mongoose findOneAndUpdate bypasses hooks
+    // https://github.com/Automattic/mongoose/issues/964
+    userData.hash = bcrypt.hashSync(userData.hash);
+
     if (userData.phone)
         var userQuery = {$or: [{email: userData.email}, {phone: userData.phone}]};
     else