WordPress.org

Ready to get started?Download WordPress

Forums

Hidden Superadmin accounts following hacked site? (5 posts)

  1. dgilmour
    Member
    Posted 3 years ago #

    My site was affected by the recent malware incident.

    While sorting that out I removed superadmin privileges until these accounts had passwords confirmed reset. During that, I notice that the count of superadmins displayed above the user list is 5, although only 1 superadmin account is listed.

    I am concerned this could mean that rogue accounts have been created and are being hidden in some way. Can anyone point me to a process for dealing this situation? I have a reasonable idea how the database tables work, but no idea how accounts can be hidden, or what to do about that.

  2. Jackson
    Member
    Posted 3 years ago #

    When they insert the users into the DB, they sometimes include .js which can hide the row in the list of users. If you find superadmins in your user table that you did not add, I would treat this as a compromise and install fresh and restore from backups.

    You can use PHPMyAdmin to delete the users from the DB directly, and change your salts in wp-config.php

    Let us know how it goes.

    Also worth checking out is the excellent Exploit Scanner plugin.

  3. Yeah there was a hack going around on single sites that did the same.

  4. dgilmour
    Member
    Posted 3 years ago #

    @Jackson: I'd already done a fresh install, and was hoping to avoid having to restore from backups; I don't know exactly when things were malware free, and it's a busy site with approx 100 posts per day.

    Have used MySql command line to delete the excess superadmins. I used Andrea's advice here to find out what to change: http://wordpress.org/support/topic/recover-super-admin-access-after-username-change?replies=13#post-1572003

  5. Jackson
    Member
    Posted 3 years ago #

    You should at a minimum, run Exploit Scanner, re-install your themes and plugins, and reset your MySQL db password and secure your wp-config.php file.

    Exploit Scanner will uncover some of the more common stuff.

Topic Closed

This topic has been closed to new replies.

About this Topic