Title: A user has become admin Last modified: August 30, 2016 --- # A user has become admin * [Annandale Apps](https://wordpress.org/support/users/annandale-apps/) * (@annandale-apps) * [10 years, 7 months ago](https://wordpress.org/support/topic/a-user-has-become-admin/) * Hi there, * One of my users on my site, who was Author appeared to become Admin. The next day he passes me and says ‘You’ve got a security flaw’, but now I’m trying to work out what on earth is going on. * How can I stop this, because he isn’t the kind of employee I can trust as admin on my site. He won’t give me a hint on how he did it, or what the bug is – he’s one of those pesky students trying to make a statement. Viewing 9 replies - 1 through 9 (of 9 total) * [Mary01](https://wordpress.org/support/users/mary01/) * (@mary01) * [10 years, 7 months ago](https://wordpress.org/support/topic/a-user-has-become-admin/#post-6582284) * Hello, * You can delete unwanted admin account. Follow this link: [https://wordpress.org/support/topic/how-do-i-delete-the-admin-account?replies=4](https://wordpress.org/support/topic/how-do-i-delete-the-admin-account?replies=4) * Thread Starter [Annandale Apps](https://wordpress.org/support/users/annandale-apps/) * (@annandale-apps) * [10 years, 7 months ago](https://wordpress.org/support/topic/a-user-has-become-admin/#post-6582296) * I don’t want him to be deleted, but rather I don’t want him to become admin again. * [Chad Smith](https://wordpress.org/support/users/chadsmithdev/) * (@chadsmithdev) * [10 years, 7 months ago](https://wordpress.org/support/topic/a-user-has-become-admin/#post-6582297) * ….It’s debatable if he’s not the kind of guy you can trust. I’d think that you _could_ trust him. Why would he tell you that he cracked your site otherwise? * Here’ s brilliant suggestion: Why don’t you ask him how he did it? Then you can fix it. * Seems like he may have the answer you’re looking for….. * Just my, often unwanted, opinion, Chad * If you do ask him and you fix it – please post the solution here so others can find this in the future….For when they don’t have the luxury of asking the guys who broke in…. * [Chad Smith](https://wordpress.org/support/users/chadsmithdev/) * (@chadsmithdev) * [10 years, 7 months ago](https://wordpress.org/support/topic/a-user-has-become-admin/#post-6582298) * I just re-read my last post and it sounded rude I think…That was unintended. Apologies. * What I meant was that I think you’d just tell him that you’re impressed (feed his ego) and want to know how he did it… * I’ve been that cocky student – I would have been honored to have a person ‘above me’ ask for my assistance…..He just needed to let you know you needed some assistance. 🙂 * Anyway – no hard feelings – sorry for the quasi-rude last post. * Thanks, Chad * Thread Starter [Annandale Apps](https://wordpress.org/support/users/annandale-apps/) * (@annandale-apps) * [10 years, 7 months ago](https://wordpress.org/support/topic/a-user-has-become-admin/#post-6582300) * I certainly didn’t read it as rude, so no worries there. * I agree that he’s the only one who knows the exact answer, so I’ll just have to (as you say) feed his ego. * I’ll meet him tomorrow, but in the meantime I’ve installed about a dozen security plugins, Admin SMS dual-authentication and so-on. * If there is a security flaw in my website, I’d rather find out from a student/ colleague with an ego, than a real hacker trying to steal my website. * [Chad Smith](https://wordpress.org/support/users/chadsmithdev/) * (@chadsmithdev) * [10 years, 7 months ago](https://wordpress.org/support/topic/a-user-has-become-admin/#post-6582302) * Cool! Looking forward to hearing how he did it! * I’m following along with this post – you sure you don’t just have your UN and PW written somewhere that he can get to it? A file on the desktop named “wordpress_password. txt” or something…LoL! * Have a good day, -Chad * [Mary01](https://wordpress.org/support/users/mary01/) * (@mary01) * [10 years, 7 months ago](https://wordpress.org/support/topic/a-user-has-become-admin/#post-6582312) * Yes it is a possibility. * Did you try Menus –> Change role back to author * Then try changing your administrative account password, hosting control panel password, FTP password, and all email account passwords related to the website. * Regards, * Thread Starter [Annandale Apps](https://wordpress.org/support/users/annandale-apps/) * (@annandale-apps) * [10 years, 7 months ago](https://wordpress.org/support/topic/a-user-has-become-admin/#post-6582425) * OK. I found out in the end. * Authors can upload files into the media library, and that’s where the weakness was. He uploaded a particular file that roots around the website and find weak points and essentially hacks it. From this, he could basically set up the website as if it were being installed for the first time, and create an admin account as the creator of the website. * He’s a little cheeky monkey, but I did get to the source of the issue. Basically, he was only able to do this because he already had Author access to the site. He couldn’t have uploaded a file to the media library if he had just been a subscriber. * Since then though, I’ve installed a raft of security plugins, only let .png and. jpg to be uploaded, and as a rather cool Dual-Authentication SMS code generator, which basically texts me a code every time an admin tries to log in (very cool). * All of which means that he won’t be able to sneak in again. * [Clayton James](https://wordpress.org/support/users/claytonjames/) * (@claytonjames) * [10 years, 7 months ago](https://wordpress.org/support/topic/a-user-has-become-admin/#post-6582430) * This says it all: * > How can I stop this, because he isn’t the kind of employee I can trust as > admin on my site. He won’t give me a hint on how he did it, or what the bug > is – he’s one of those pesky students trying to make a statement. * Not to sound alarmist but to be realistic; If the explanation regarding how the flaw was exploited was explained to you as presented, it’s most likely an intentional oversimplification of what’s actually been done on the server. * My personal response would be that _All_ access for this individual should be firmly denied, and if the server the site sits on provides shared resources in an academic or corporate environment – or is on shared public hosting (you should assume it’s still compromised in any event) – you should make the appropriate contacts within your IT department or hosting support staff to ensure the continued safety of any other resources or sites on the server. * This type of intentional compromise and attitude should not be viewed as a trivial matter. * Just my opinion, mind you. Viewing 9 replies - 1 through 9 (of 9 total) The topic ‘A user has become admin’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 9 replies * 4 participants * Last reply from: [Clayton James](https://wordpress.org/support/users/claytonjames/) * Last activity: [10 years, 7 months ago](https://wordpress.org/support/topic/a-user-has-become-admin/#post-6582430) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics