Support » Fixing WordPress » Hacker registered user

  • Hi
    I have 10 portals based on WordPress. Hacker registered user with administrator privileges on 8 portals. Accounts of this type: wp.service.controller.cUxBl, wp.service.controller.M8Jgt. A month ago they were not there. Yesterday, on the phone I entered to one of my page and redirects me to another foreign page. I have a protective plugin intrusion prevention brute force. I have a different themes. My plugins are:
    Easy Plugin for AdSense
    All in One SEO Pack
    Facebook Like & Share Button
    Cookie Notice (
    Jeba Limit Login Attempts
    SI CAPTCHA Anti-Spam
    Top 10 (2.4.1)

Viewing 10 replies - 16 through 25 (of 25 total)
  • angelwp


    Hello, im kinda in the same situation, im doing cleaning etc every 4 days, has anyone been able to stop the attacks?



    How can i scan my DB ??



    if i find something liek this in Data Base, should i delete it?
    SELECT * FROM db_fppv.wp_posts WHERE (CONVERT(ID USING utf8) LIKE ‘%eval%’ OR CONVERT(post_author USING utf8) LIKE ‘%eval%’ OR CONVERT(post_date USING utf8) LIKE ‘%eval%’ OR CONVERT(post_date_gmt USING utf8) LIKE ‘%eval%’ OR CONVERT(post_content USING utf8) LIKE ‘%eval%’ OR CONVERT(post_title USING utf8) LIKE ‘%eval%’ OR CONVERT(post_excerpt USING utf8) LIKE ‘%eval%’ OR CONVERT(post_status USING utf8) LIKE ‘%eval%’ OR CONVERT(comment_status USING utf8) LIKE ‘%eval%’ OR CONVERT(ping_status USING utf8) LIKE ‘%eval%’ OR CONVERT(post_password USING utf8) LIKE ‘%eval%’ OR CONVERT(post_name USING utf8) LIKE ‘%eval%’ OR CONVERT(to_ping USING utf8) LIKE ‘%eval%’ OR CONVERT(pinged USING utf8) LIKE ‘%eval%’ OR CONVERT(post_modified USING utf8) LIKE ‘%eval%’ OR CONVERT(post_modified_gmt USING utf8) LIKE ‘%eval%’ OR CONVERT(post_content_filtered USING utf8) LIKE ‘%eval%’ OR CONVERT(post_parent USING utf8) LIKE ‘%eval%’ OR CONVERT(guid USING utf8) LIKE[…]

    • This reply was modified 4 years ago by angelwp.


    Check your users first and delete wp.service.controller user. Then check your plugins. Hackers use one of them to get to your site. Try updating plugins or disable old ones. You can set permission 444 to index, wp-config and wp-setings php files.

    I had the same issue in the last few days and was notified via google Search Console Team. I found very little information on this type of hack with a Google search for wp.service.controller.

    Thanks to @ernasx and @dzemens for those plan summaries. On one of my sites that had been attacked, the damage was fairly deep. I’d like to add that I used WPMU Dev’s Defender first since it was installed. It found some files, then Wordfence found more and then GOTMLS found even more. I can’t say which is best because of the order I used them in, but one piece of software would have been waaay less time consuming. I had a few of the things others mentioned… simply-named php files in the main wp directory (the file names seem to be taken from text on the site), php files in wp-content, modified wp-config and index files and the favicon files that fake you out.

    I want to patch the hole, but it’s hard to find a common denominator when you tend to use the same plugins again and again. But FOR ME the biggest similarity I was leaning toward with with the sites that got hit were that they allowed registration… but not truly open registration… they are used with S2 Member and the only sites that use wp-login.php without obscuring the login path. The first site allows registration, but only with an invite code from another plugin. The amount of invites used equaled the amount of legit users, so the hack/script seemed to get around that (11 wp.service.controller accounts). I also had a plugin that allows me to approve accounts; it did not notify me of these clandestine accounts. With the other site that got hit, you have to pay for an account, but presumably they got around that (2 wp.service.controller accounts).

    That is not to say that a password was not compromised, but I’m the only admin account and the sites are 2-factor protected and I’ve done most of the things the iThemes Security plugin recommends. And of course many other good-practice site and password protections.

    Anyway, I think I have the sites cleaned. I can temporarily close one site to registration, but the other paid site I can’t. So, does anyone know more about the wp.service.controller hack and how to protect against it?

    Just want to add that if you’re cleaning your site every couple of days, you need to reset all site cookies. It’s possible you’ve been hit with an XSS attack to steal user cookies, and your admin cookies are being used to access your site and reinfect.

    Just open config.php and follow the instructions for resetting your wordpress keys so that all users have to log in again.

    Then change your passwords again, just to be on the safe side.

    And definite delete any admin users that you didn’t personally create, including wp.service.controller.XXXXXX and any named “debug” if you didn’t personally create them. I found a backup plugin was creating this admin-level user automagically (and not disclosed anywhere in the plugin docs).

    It’s also a good idea to let Wordfence scan folders outside of the wordpress install on occasion. I have found malware in folders outside of wordpress. You can change this in the settings.

    • This reply was modified 3 years, 10 months ago by pemitchell.

    For membership sites it might be a good idea to set up Google reCaptcha on your registration page and other pages where users enter data.

    I too have this problemon two of my sites. I’m up to date on wordpress, theme and all my plugins. I’ve looked at the list of plugins that others have listed here on this thread. I don’t see any commonality. The only thing that my two sites have in common is that they both use a theme by cyberchimps (I’m using responsive). Anytime else think it might be a vulnerability in the theme?

    @pemitchell You mentioned that a backup program was creating admin accounts. Can you tell us which program you’re using? Thinking this might be a possible vulnerability. I’m using backwpup.

    I was using backup-dropbox. It created a user named “debug” with admin level privileges, and no where in the documentation did I find that disclosed. I only discovered it connected to that plugin because another user posted about it in the support forum.

    Interesting note, I used the plugin on two sites hosted on the same server, one which hadn’t been updated in 9 months and did not have the debug user. The other site had been updated regularly, and did have the debug user.

    indeed @pemitchell, i was “clean” for almost 4 months, from cleaning every 3 – 4 days, the way ir works for me, since today, was:

    -Remove infected code detected by Wordfence
    -Manually check the project for weirds .php files and delete them
    -Manually check code with “edit” option from cpanel because some malicious code was encrypted
    -Clean the cookies as our friend pemitechel says, in wp-config and use the salt link provided from wordpress
    -Change cPanel password
    -Monitor daily the server processes and there pop ups some php scripts, manually search them and delet them too

    with this was clean for almost 4 months

    But now i got a message from wordfence with this:
    Critical Problems:

    * File appears to be malicious: wp-content/plugins/revslider/css/ymjuehdi.php

    * File appears to be malicious: wp-content/uploads/2017/04/rhbqlccc.php

    same way as before but it looks like was only 1 website, and no all of them as usual

    this kind of injected code how can be done?, no new users on the website

    can´t find the security hole

    • This reply was modified 3 years, 9 months ago by angelwp. Reason: important one
Viewing 10 replies - 16 through 25 (of 25 total)
  • The topic ‘Hacker registered user’ is closed to new replies.