Support » Installing WordPress » Admin stolen? Install security risk?

  • I intalled WordPress last night and asked my ISP to switch on MySQL and PHP. However after a few hours the PHP still wasn’t activated and so I went to sleep. This morning I find PHP working, and tried to run the install. It gave me an admit password but it didn’t work! I noticed that there was a link from the index.php page to the admin page, so I checked my server logs and sure enough overnight somebody had gone to index.php and then on to the admin page and presumably created an admin login and password before me!?!?

    Firstly, I can’t believe that the default behaviour is so amazingly insecure that upon install admin can be stolen by the first person that types in your url. Or am I just a confused newbie?

    Secondly… help!!! I guess I need to do a reinstall of everything but this time not installing index.php until I’ve got admin login? I’ve deleted all the wordpress files from the host. What about the admin password.. is that in the MySQL database? Do I need to some how remove this too? I have no idea how to do that.

    Thanks for any help.

Viewing 7 replies - 1 through 7 (of 7 total)
  • whooami



    as is explained in the documentation, everything is stored in your mysql database, including the admin password.

    You can use phpmyadmin and go in and EMPTY all your wordpress tables — that will remove the password as well anything else that might be lingering.

    You might also want to just start fresh, in which case you ought to DROP all those tables, edit wp-config.php to reflect a new $table_prefix, and reinstall.

    Nothing was STOLEN as you never installed WP in the first place.

    If you left WP uploaded to you webspace without it already being installed that is your own fault. It is not a security bug that you left your website with a uninstalled script.

    But saying that, its not a major issuse just drop the DB and start again but make sure you at least install the script before you go to bed this time

    *edit* Btw how did he managed to install WP, he would need to know your MySQL details…




    “Btw how did he managed to install WP, he would need to know your MySQL details…”


    dont prattle on if you dont know what youre talking about, it just makes things worse.

    Yeah I guessed that basically that was what I’d have to do.

    I still find it strange that the default is to have an index.php page that points anybody coming past at the admin account creation.

    Thanks for your help.

    [personal attack removed – spencerp]

    If he left WP uploaded with wp-config.php intact with his MySQL details then yes they could install it.

    But you would assume that due to the fact PHP/MySQL wasnt enabled that he would have these setup.

    Guess i was wrong.


    I was just following the installation instructions. It was only when I got to running the install script that I realised that PHP still hadn’t been activated by my ISP. I guessed it would be unlikely that somebody would know what I had an install script and where it was and thus run it before the morning (you can’t see the directory contents on my web server).

    What I didn’t realise was that the index.php would point everybody going to my url straight at the admin setup script! If you’re simply following the installation instructions you have to pray that nobody goes to your url before you do.

    Of course next time I’ll be smarter and won’t follow the installation instructions quite so closely…

    Please refrain from personal attacks here please! Thanks!

    Phunky, your posted was edited, as under the rules, Section B, Number 5.

    I have the original comment saved, incase anyone thinks it should be re-added again. Anyway, let’s keep this thread running smoothly. =)


Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Admin stolen? Install security risk?’ is closed to new replies.