Support » Fixing WordPress » Account hacked; changed username

  • Sarah

    (@sanfranista)


    My WordPress.org account was hacked, and the hacker changed the admin username and email address. My username (sanfranista) was relegated to a subscriber vs. the admin/author. Since discovering the hack, I’ve reset the passwords on both WordPress and Bluehost (my server), and I was able to change the admin email back to my own. However, I am unable to change the username back.

    So now, there are two admin users on my account, sanfranista (which is what my original username was), and suryanata (hacker/fake user). Suryanata’s account is listed as the author of all 203 of my posts. I want to remove this faux user, but I’m concerned that if I do, my posts and hard work will be deleted.

    Is there any way to take back over authorship of my posts and then delete this impostor? I asked Bluehost for help, but they were stumped about how this person was able to change the username in the first place.

    Thanks so much for your help!

    The page I need help with: [log in to see the link]

Viewing 15 replies - 16 through 30 (of 33 total)
  • Hi gals, I just wanted to share that I also got hacked by this same hacker – suryanata.

    I was browsing my site using a mobile device at home the other day and noticed that the contact-form plug-in from jetpack was not showing, it was just showing the codes in the website, also I have a views counter plug-in which was also not showing up.

    At first I thought maybe wordpress did an auto update since I do not edit my site so much, just post once in a while if I have new products. So the next day I tried logging in but I could not and was shook!

    Then I reached Hostgator support and they showed me how to edit the password from the back-end via cPanel, when I was there I saw that the new user name was suryanata. I changed the password and was able to log in again from the front-end (wp-login).

    I noticed that all my plug-ins were disabled. This was done by the hacker. And he installed a redirect 301 plug-in. I never had any use for redirect so I never had it installed before but now it was there, so I deleted it and activated my old plug-ins. I think the hacker is trying to get redirects – for what reason I do not know. I then updated my wordpress site to that latest version 4.something. WordPress used to do it automatically for me before but not anymore, maybe there was a security flaw in the last version that allowed this type of hack.

    Also I saw the suryanata guy’s email was [redacted] – so maybe his Indonesian or just using an Indonesian domain.

    Later on to my dismay I found out that wordpress does not allow usernames to be changed, so I can’t revert back to my own username and I’m stuck with this suryanata username for now. I created another user with admin rights just to be sure in the future. I am not too familiar with wordpress, if anyone would help me in figuring out how to remove the username suryanata and put my own back I would appreciate it.

    Hopefully this goes up the chain and the wordpress developers see this so we don’t get hacked by this method again. I don’t even know if my site is safe right now from the same attack or not. My site does not have SSL since I never need my readers sensitive information, there is no payment thingy in my website, I just post products that we sell then they reach me via email or phone. Not sure if not having SSL caused this problem.

    Thread Starter Sarah

    (@sanfranista)

    Hi Jeff! Thanks so much for sharing what happened to you as well. It’s so infuriating to have your site hacked, and especially to not be able to resolve the username issue. I haven’t found someone yet to fix the username problem, but if I do, I’ll share an update here. Have you had any luck since you wrote?

    Thanks again!

    Hi Sarah, I haven’t fixed the username issue yet.

    I looked into my Google webmaster / search console and noticed that there were a lot of errors in the Structured data. Doing the structured data live test revealed a lot of Japanese characters – pointing to Japanese websites selling furniture. It was a good thing i deleted the 301 redirect plug-in because I think the hacker wanted to use my website and redirect all traffic to those Japanese sites.

    I think the hacker was able to install some type of engine in the wp includes directory or something that changed all my meta and tags in the structured data (if that makes any sense)

    I did install a security plug-in called WordFence, did a scan and it found some errors (some malicious alterations in the index.php also something in the wp includes directory that said it was an ass engine executing malicious commands). Quickly followed the WordFence prompts and now my structured data looks fine (no more Japanese characters). Also I updated everything like themes, plug-ins, even the inactive ones, maybe the hacker got access from there, I did not update them since I was not using them anyway.

    I will check with Hostgator if they can help me with the username issue, they said they can restore from a previous back-up with a small fee but I’m not 100% sure when it comes to restoring stuff.

    I will also dig deeper to my public files using cPanel just to check nothing suspicious there. After installing wordpress 2 years ago I never visited my site from the back-end using cPanel.

    I will update this thread if I have any luck.

    • This reply was modified 6 years, 2 months ago by jeffsilang89.

    Hi everyone – Add me to the list of people who have had a site hacked by suryanata. I am using this thread to start the forensics on what to do. May we all find success in getting our sites back!

    Hi luminarias, welcome to the club.

    Here are a couple of things I suggest:
    – Gain wp-login access back by changing the Password of suryanata via your cPanel or back-end. I was able to this with my Hostgator cPanel – under software – Quick Install.
    – Install WordFence Plug-In and run a scan. This showed me that my .htaccess or my index.php file had been altered and fixed that issue. Also it fixed some stuff in the wp-includes directory.
    – Check your sitemap.xml. Mines was compromised and had thousands of URL’s linking to Japanese webistes. Delete that sitemap.xml if yours is also compromised then allow Google or another plug-in to generate a new one after. I found out a bit too late and now a lot of my google search results are showing up in Japanese and I am still figuring out how to clear it =(

    As to how to change the name of suryanata I still don’t know. Hostgator support said that is “beyond their support”. If anyone could show me how to do that I would really appreciate it.

    Thread Starter Sarah

    (@sanfranista)

    I’m so glad to hear from others about this (well, not glad for you, but glad to not be alone on this!). I feel like there has to be a way to change the username, since the hacker was able to do it in the first place. I’m going to research developers/troubleshooters and see if this is something that can be done.

    Have you all had any issues with your other accounts being compromised, or attempts to log in from outsiders? I know I used my WordPress password elsewhere, and I’ve been changing my password and haven’t had any issues yet, but it could happen.

    Hi There, I just had the same issue around the same time I see Sarah posted. Our website (www.s18newborns.com) was hacked, and a user named “Suryanata” was created as the admin with all media, pages, and posts attributed to them. We were unable to log in, and had to do so through our hosting C-panel. From here, I was able to reduce the hacker’s permissions and ultimately delete them after setting up a new user for myself again. What a mess! Based on what I read, I’ll be looking into Vaultpress as well. My real problem now, however, is that our page, which was previously dominant in SEO is almost completely unrecognized by Google!

    We used to be in the top 3 organic results for all of our targeted keywords (something that took years of hard work, keywords such as “south jersey newborn photographer”). After going through our site, I noticed the hacker had done a great deal of keyword stuffing, so I cleaned this up, and resubmit our sitemap to Google. Almost instantly, we were atop the rankings again. But then… overnight, we disappeared again.

    Currently, Google is pending our sitemap submission, and any attempts to Fetch our site in the Search Console return “temporarily unavailable.” It’s as if Google can’t access our page again. However, other site test pages (such as GTMetrix) show that our page is fine and functional.

    Also, our host (Bluehost’s) C-panel says that the wordpress core files have been messed with and indicates we should restore them. However, it gives us an error each time.

    We’re so burned out at this point… any help would be appreciated. I just want the site we worked so hard on (and we use to run our business) to be fixed!

    For those of you who have encountered this issue, could you please share the version of WordPress you were running at the time your site was compromised and what themes and plugins you are actively running (plugin and theme version numbers are also helpful).

    NOTE: It’s probably best NOT to publish your URL when discussing security in a public forum.

    I’m a WordPress developer and work to secure sites on a daily basis. I was recently contacted regarding a similar issue and am actively investigating the root cause.

    Here is the setup of the site I’m investigating:

    WordPress 4.9.1

    Theme: Custom Theme (appears to be based on roots / soil library)

    Plugins:

    • Advanced Custom Fields PRO
    • Advanced Custom Fields: Nav Menu Field
    • Advanced Image Styles
    • Custom Upload Dir
    • Gravity Forms
    • Gravity Forms Quiz Add-On
    • PDF Embedder
    • Preserved HTML Editor Markup Plus
    • Redirection
    • Regenerate Thumbnails
    • RICG Responsive Images
    • SearchWP
    • TinyMCE Advanced
    • Yoast SEO

    Also, To reset your username the fastest method is to edit the database directly via your cPanel / PHPMyAdmin or command line. If anyone needs help in that regard I will try to assist if you care to reach out directly.

    • This reply was modified 6 years, 1 month ago by D.S. Webster.

    Just got this hack today. WordPress 4.9.2. Keymaster username was changed to monkey, password changed also. Email address wasn’t changed, so I could log in through the WP password reset function (just enter your email address…and the email you get tells you your new username, and you reset that password.) I can’t see anything else malicious.

    Through cpanel->PhPMyAdmin, searching “monkey”, it shows up in the wp_users table — edit the table for your keymaster account back to your username. That’s all there is to it.

    Now how it got hacked/changed is another question.

    stevebkt222

    (@stevebkt222)

    Yup.

    Same thing happened to me. Only issue is every time I remove the account and get a new username, password, and email address it just keeps happening again and again.

    I’m really not sure what to do. Is the only option just paying Sucuri or Sitelock hundreds of dollars to potentially find the issue?

    Thanks for the help.

    acalerog

    (@acalerog)

    Hi all

    I’m following up on this, as I have a similar issue as Sarah. However… I’m unable to access my WP Dashboard.

    I’ve tried to recover my password, but the system says the username provided is wrong – which I’m 99% sure it’s not (I use Lastpass to store passwords, and have never changed this). In other words, the hacker has changed my username and I cannot access my site control panel.

    Any suggestions?

    jeffsilang89

    (@jeffsilang89)

    Hi acalerog, welcome to the party.

    The hacker changed the username so you won’t be able to log-in at all. You will need to have access to your cPanel and depending on your host, work from there.

    I use host gator and using the cPanel – quick install section – I was able to find my wordpress site installed with a different user name and I changed the password from there. The username however is still the hacker’s name Suryanata.

    From my understanding you can also change username and password from the data base – that would be the PhpMyAdmin or something like that (also in the cPanel) then look for the users section. I have not done this yet since I am not too familiar with making changes in the data base itself.

    How the hacker got into my wordpress site in the first place still baffles me, although I was never always keeping my website updated when new versions of wordpress or plug-ins or themes came out. So the fault was mine in that part. Now I update everything as soon as I see there is a new update.

    Thread Starter Sarah

    (@sanfranista)

    Seconding Jeff’s suggestion, the only way I could initially get in was through the CPanel. If you’re not sure how to do so, call your hosting company and have them walk you through it- it was definitely helpful for me.

    They were, however, at a loss as to how to change the username, which is frustrating. I still haven’t solved that one.

    I installed the WordFence plugin for added security and also made sure that I had a backup of my site’s files in case this happens again. I feel like I should hire someone to look through all the code to see if there’s anything weird in there- has anyone had any luck doing something similar?

    Thanks again to everyone for contributing to this thread- so helpful!

    Hi Sarah, I suggest you change the username of the hacker right away as they again got access to my account and I had to reset the password via cPanel.

    I just changed the username via the PhpMyAdmin, you can find the steps here for host gator – http://support.hostgator.com/articles/specialized-help/technical/wordpress/how-to-change-your-wordpress-login-username

    The steps are pretty simple and should be similar for other hosting companies.

    Now my problem is that the hack created a lot of fake URL’s and if I do a site search in google by typing “site:www.mydomain.com” I see a lot of gibberish Japanese text. It shows that there are 200,000 results when I only have 600 actual posts in my website =/

    I installed wordfence and cleaned up my sitemaps the first time I got hacked since I noticed these were not proper but these Japanese texts still show up when I do the google search. Anyone here know how to fix this?

    • This reply was modified 5 years, 12 months ago by jeffsilang89.
    Thread Starter Sarah

    (@sanfranista)

    Jeff, you are my hero. I just went into the cPanel and changed the username. Suryanata is no more! I also found out via Wordfence that were 29 login attempts to my site by someone tryin to use the username “admin”, and I’m assuming it’s the same person who started this trouble in the first place.

    I haven’t run into the sitemaps issue–that sounds incredibly frustrating. I’m hoping someone here has run into that before and knows what to do!

Viewing 15 replies - 16 through 30 (of 33 total)
  • The topic ‘Account hacked; changed username’ is closed to new replies.