Unauthorized Creation of Admin Accounts

  • Hello,

    A WordPress based website that I help out with allows readers to sign up as subscribers to receive newsletters. Recently, we have been experiencing a problem with a hack in which some unknown person or bot would sign up and give the account admin status. It seems that the unknown user can not only give himself admin status but also evade detection by StatCounter. All authorized administrator accounts have hard-to-guess passwords that are changed on a regular basis, and a user activity tracking plugin has been installed so they both rule out logging in with stolen passwords.

    SiteLock is currently working with us by scanning the site for malware on a regular basis but other than that, it seems that even they are baffled. Is anyone having the same problem? Does anyone have any suggestions?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator t-p

    (@t-p)

    Try Wordfwnce plugin. It comes with a malware scanner, exploit detection, and threat assessment features.

    Someone may have the credentials to your database and your host might be allowing remote connections to your database.

    So they create a new subscriber account then go into your database and promote that new subscriber to admin. Your logging apps never see that as it wasn’t done via the WordPress install.

    The first thing I’d do is go into my control panel and make sure I’m not allowing anything but the proper servers into my MYSQL host… that’s your webserver and maybe a second app on a different server if you are running some kind of database sync setup.

    You need to take a look at your FTP users and lock that down to just the users you really need and you really need to lose FTP for secure FTP instead.

    Also, make sure there’s no one able to gain a console access to your host. That means just a couple key people with access to your hosting account where they can possibly get to your hosting control panel and configuration stuff.

    Else changing the MySQL credentials may not help. They can access the wp-config and read them if you let just anyone in there.

    The next thing is to go in and change your database password or create a new database and move the database to a totally different server.

    Also go in and change the security keys in WP-config.php… this will kick all logged in users out and hopefully you’ll not have an unauthorized admin in there who can find their way back in before you kill their account.

    Now go in and kill any unauthorized admin accounts. If you have an admin (or a super user in a multi-site) named ‘admin’ you need to kill that account and create one named something else.

    Your admin should not be used as a publisher or editor of posts either. You don’t need for outsiders to see users who might be admins.

    If you’re not already running a firewall then install one now. I use WordFence with iThemesSecurity as they work well together and compliment each other.

    If you deleted any admin users after this then go back and change those passwords on the database and those security keys again.

    If you had any vendors who had access to your account somehow then this is the time to lock them out.

    And if you have any kind of file access plugin in your WordPress install you probably should lose that just incase you miss an admin you didn’t notice. No point in leaving that ‘door ajar’.

    Thread Starter achanne

    (@achanne)

    Thank you for all the responses. I’ll definitely reactivate Wordfence and have a look at activity from the hosting side of things and try to secure the database. BTW, the URL is
    I’ll have a careful read-through all the responses again tonight and take some notes. ??

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Unauthorized Creation of Admin Accounts’ is closed to new replies.