Support » Fixing WordPress » Someone add a new User administrator!

  • Today someone created a new user, and its administrator. I have the registration disabled!

    How this happened?

    And how can I check if he changed something in the database?

    I was using 4.0.

Viewing 4 replies - 1 through 4 (of 4 total)
  • This is a bad notification to receive.
    You need to delete that user and renew you salt keys in your wp-config file to log out all users. Then follow the advice here: http://codex.wordpress.org/FAQ_My_site_was_hacked

    It’s also worth considering backing up from a previously clean state (files & database) and checking in your database “wp_users” for any hidden users. I would also update ALL passwords (cPanel/FTP/WP dashboard/database).

    Good luck!

    Moderator t-p

    (@t-p)

    – First off, Use this plugin to check for exploits and malware: http://wordpress.org/extend/plugins/quttera-web-malware-scanner/
    – alternately, use online Scuri scanner: http://sitecheck.sucuri.net/scanner/

    – Also, change your login credentials. Because who did it can do it again.

    – review this codex for hardening tips: http://codex.wordpress.org/Hardening_WordPress

    Thread Starter roro

    (@roro)

    188.163.80.197 - - [09/Feb/2015:07:51:59 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    188.163.80.197 - - [09/Feb/2015:07:52:00 +0100] "POST /wp-login.php?action=register HTTP/1.0" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    
    188.163.80.197 - - [09/Feb/2015:07:52:02 +0100] "POST /wp-login.php?checkemail=registered HTTP/1.0" 200 2862 "-" "Mozilla/3.0 (compatible; Indy Library)"
    
    188.163.80.197 - - [09/Feb/2015:07:52:03 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    
    188.163.80.197 - - [09/Feb/2015:07:52:03 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    
    188.163.80.197 - - [09/Feb/2015:07:52:04 +0100] "POST /wp-login.php?action=register HTTP/1.0" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    
    188.163.80.197 - - [09/Feb/2015:07:52:05 +0100] "POST /wp-login.php?registration=disabled HTTP/1.0" 200 2775 "-" "Mozilla/3.0 (compatible; Indy Library)"
    188.163.80.197 - - [09/Feb/2015:07:52:06 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    188.163.80.197 - - [09/Feb/2015:15:22:22 +0100] "POST /wp-login.php HTTP/1.0" 500 276 "-" "Mozilla/3.0 (compatible; Indy Library)"
    188.163.80.197 - - [09/Feb/2015:20:40:35 +0100] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    
    188.163.80.197 - - [09/Feb/2015:20:40:36 +0100] "GET /wp-login.php?redirect_to=http%3A%2F%2F********.org%2Fwp-admin%2F&reauth=1 HTTP/1.1" 200 2722 "-" "Mozilla/3.0 (compatible; Indy Library)"
    
    188.163.80.197 - - [09/Feb/2015:20:40:37 +0100] "POST /wp-login.php HTTP/1.0" 200 3624 "-" "Mozilla/3.0 (compatible; Indy Library)"
    
    188.163.80.197 - - [09/Feb/2015:20:40:38 +0100] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    
    188.163.80.197 - - [09/Feb/2015:20:40:39 +0100] "GET /wp-login.php?redirect_to=http%3A%2F%2F********.org%2Fwp-admin%2Fplugin-install.php%3Ftab%3Dupload&reauth=1 HTTP/1.1" 200 2751 "-" "Mozilla/3.0 (compatible; Indy Library)"
    188.163.80.197 - - [09/Feb/2015:20:40:39 +0100] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 302 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
    188.163.80.197 - - [09/Feb/2015:20:40:44 +0100] "POST /wp-login.php?redirect_to=http%3A%2F%2F********.org%2Fwp-admin%2Fupdate.php%3Faction%3Dupload-plugin&reauth=1 HTTP/1.0" 200 2753 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
    
    188.163.80.197 - - [09/Feb/2015:20:40:45 +0100] "GET /wp-content/plugins/tell-a-friend/tell-a-friend.php HTTP/1.1" 404 36193 "-" "Mozilla/3.0 (compatible; Indy Library)"

    Do you have the tell a friend plugin installed, or was it installed after the new user appeared? If so, this could be the source of your attack: HACKED – Plugin abused by malicious third parties

    I would remove this plugin if it is installed on the site, and then work through the advice from @tara and myself. Once your site is clean, definitely take a look at the Hardening WordPress codex that @tara links to. Following those steps will greatly reduce the chance of any future hack of your site.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Someone add a new User administrator!’ is closed to new replies.