In your admin, check what priviledges this user has.
There is only one admin user and I do not share it with anyone. This “new” user was created without logging in through my user and not sure how. I think it was through the myPHPadmin plugin, which I have since disabled. I basically am looking for a way to find out who it was and what their IP address is.
check your logs
change the mysql database password
change your wp-admin password
change your cpanel password
try the above steps
Thanks, I changed the password to everything except the mySQL, which i just did.
Is there an easy way to sift through the logs and find this exact change? Anything specific I should be looking for? I know the date and time the new user was created, or at least when WP sent the email, but looking through the notepad log file was really tough. Any suggestions?
Do You Have Cpanel Access For Your Website
Click Raw Access Logs Under Logs Section And Select The Domain Name To Downloads And Check The Logs
If The Topic Is Resolved Kindly Mark It As Resolved
For More Tips And Tricks Follow My Blog http://techtips.svarun.in
I had an issue with someone unknown creating an admin user.
WordPress 3.5.0 I have multiple domains several of which run WordPress, all hosted within the one rented space. This morning I got an e-mail saying:
>> New user registration on your site Meldrew:
I locked down that domain using htaccess and looked to see what had been changed. Database had new user with admin privileges. Also to my surprise the site is now set to allow anyone to register and get admin privileges when they do. I am absolutely sure I did not set these so either this was part of a hack or it came as a WordPress default (unlikely).
Suspicious stuff in .htaccess either put there by WordPress or a hack or our hosting tech support?:
#RewriteEngine On #RewriteBase / # Allow applications in cgi-bin directory #RewriteRule ^(cgi-bin)(/)?$ $1/header.php [R=301,L] #RewriteRule ^cgi-bin/$ - [F] #RewriteRule ^cgi-bin/. - [L] #RewriteRule . - [G] # BEGIN WordPress # END WordPress
There is no cgi-bin directory in the root of this domain.
Apart from that no obvious new or modified files.
The WordPress install was over top of old one to get the latest version and was unused – just a backup install of an old weblog.
If the intruder could add or modify files on this site s/he could write code to get at sensitive info for all my sites stored above /public_html.
Any suggestions about how the intruder could have got in? Or how “anyone can register” and “as administrator” could have been set? And whether the .htaccess code is suspicious or not?
These are the recommended resources for hacked sites:
Rather than bringing back an 11 month old topic please start your own instead.
This one has been marked resolved and unless your on the same server, with the same host, running the same version, theme, and plugins then your problem is not the same.
- The topic ‘Reporting Hacking??? Someone added a user’ is closed to new replies.