Support » Fixing WordPress » Reporting Hacking??? Someone added a user

  • Resolved ben37d


    I had an issue with someone creating an admin user without logging into the dashboard. I am wondering how to figure out the IP or person that did this, as they did not have authorized access. Does anyone know how to get this information?.

Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator t-p


    In your admin, check what priviledges this user has.

    There is only one admin user and I do not share it with anyone. This “new” user was created without logging in through my user and not sure how. I think it was through the myPHPadmin plugin, which I have since disabled. I basically am looking for a way to find out who it was and what their IP address is.

    @ben37d, look at server logs.

    check your logs

    change the mysql database password

    change your wp-admin password

    change your cpanel password

    try the above steps

    Thanks, I changed the password to everything except the mySQL, which i just did.
    Is there an easy way to sift through the logs and find this exact change? Anything specific I should be looking for? I know the date and time the new user was created, or at least when WP sent the email, but looking through the notepad log file was really tough. Any suggestions?


    Do You Have Cpanel Access For Your Website

    If Yes

    Click Raw Access Logs Under Logs Section And Select The Domain Name To Downloads And Check The Logs

    If The Topic Is Resolved Kindly Mark It As Resolved

    For More Tips And Tricks
    Follow My Blog

    I had an issue with someone unknown creating an admin user.

    WordPress 3.5.0 I have multiple domains several of which run WordPress, all hosted within the one rented space. This morning I got an e-mail saying:
    >> New user registration on your site Meldrew:
    >>Username: Lmbbin96
    >>E-mail: redacted

    I locked down that domain using htaccess and looked to see what had been changed. Database had new user with admin privileges. Also to my surprise the site is now set to allow anyone to register and get admin privileges when they do. I am absolutely sure I did not set these so either this was part of a hack or it came as a WordPress default (unlikely).

    Suspicious stuff in .htaccess either put there by WordPress or a hack or our hosting tech support?:

    #RewriteEngine On
    #RewriteBase /
    # Allow applications in cgi-bin directory
    #RewriteRule ^(cgi-bin)(/)?$ $1/header.php [R=301,L]
    #RewriteRule ^cgi-bin/$ - [F]
    #RewriteRule ^cgi-bin/. - [L]
    #RewriteRule . - [G]
    # BEGIN WordPress
    # END WordPress

    There is no cgi-bin directory in the root of this domain.
    Apart from that no obvious new or modified files.

    The WordPress install was over top of old one to get the latest version and was unused – just a backup install of an old weblog.

    If the intruder could add or modify files on this site s/he could write code to get at sensitive info for all my sites stored above /public_html.

    Any suggestions about how the intruder could have got in? Or how “anyone can register” and “as administrator” could have been set? And whether the .htaccess code is suspicious or not?

    Appreciated. …Ian.



    Forum Moderator

    Moderator Jan Dembowski


    Brute Squad and Volunteer Moderator

    Rather than bringing back an 11 month old topic please start your own instead.

    How-To and Troubleshooting

    This one has been marked resolved and unless your on the same server, with the same host, running the same version, theme, and plugins then your problem is not the same.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Reporting Hacking??? Someone added a user’ is closed to new replies.