Random visitors to the site are suddenly logged in on my admin account

  • This week we got an alarming message from a customer on our webshop; she noticed she was logged in to the site on my account. My coleagues checked and one of them suddenly was also logged in as me.

    This should not be possible, right? I cannot figure out how this could possibly have happened. I don’t know this person personally so I definetly have never been logged in to the site on her computer. I also have never been logged in on my coleagues computer. This is really scary to me, because I have acces to everything on our site. Customers should not be able to have acces to our dashboard and deffinetly not on a ‘beheerder’ account. (Our wordpress is set up in Dutch, I guess in English it would be an admin account. Full acces.)

    They all logged out, but it happened again yesterday and then a second coleague was suddenly logged in on my acount as well!

    At the moment I haven’t heard anybody else being logged in as me, but this worries me terribly and I would really appreciate somebody helping me to figure out how it happened and how to prevent it.

    Thanks!

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    Yikes!

    I haven’t heard anybody else being logged in as me

    That’s not exactly reassuring, others may have not bothered notifying you ??

    Verify in General Settings that the “New User Default Role” is not some elevated role like editor or administrator. The usual default is subscriber.

    Check your registered user’s roles in the user list table. If any are inappropriate, edit their profile to change their role.

    Confirm that users are really able to access sensitive settings like the plugins screen. Sometimes people think they’ve gotten somewhere where they shouldn’t be just because they get a back end UI at /wp-admin/. But in fact all they can do is edit their profile.

    Do you have any sort of caching scheme in place? It could be inappropriately serving cached pages to others, saved from one of your sessions.

    Verify this behavior for yourself. Create a subscriber user for testing. I’m assuming being logged in at all is necessary for back end access. If people are gaining back end pages without even being logged in, that’s even scarier! Anyway, determine a way to replicate the problem yourself, either by not being logged in or logged in as subscriber.

    Deactivate all plugins and switch to a default Twenty* theme. I suspect one of these is causing the problem. Flush your browser’s cache for good measure. You should no longer be able to access sensitive areas. Restore your usual theme and plugins, one at a time, until the problem recurs. The last activated module would be the cause. Either do without, find an alternative, or seek assistance through its dedicated support channel.

    Once you’re able to prevent access, change all the salts defined in wp-config.php. Doing so will invalidate any existing auth cookies, forcing everyone to log in again. You can get a new set of random salt definitions at https://api.www.ads-software.com/secret-key/1.1/salt/

Viewing 1 replies (of 1 total)
  • The topic ‘Random visitors to the site are suddenly logged in on my admin account’ is closed to new replies.