WordPress Hacked: Admin Users Added – Fake or New Admin Users Added
The real problem of WordPress hacked begins when there are new fake admins added in your WordPress panel. If you detected and eliminate this issue, there won’t be any more problems. Hence, your website is pretty much secure. Don’t forget that you should remove them immediately which you probably have already done. But removing them is not enough. You will have to prevent them from reading. Surely, you won’t be adding the admins. There is an automated code that does the entire thing by itself.
We will see a complete tutorial on how you can fix the WordPress hacked issue where fake or new admin users are added automatically.
WordPress hacked issue: New admin added
Let’s represent the issue first before we get into the method to remove the code. Here is what happens when your WordPress is hacked.
- You will see new admin users in your admin panel. This might be genuine admin users or it could be some random email who has admin access to your WordPress website.
- Thereafter, you might also see some of the suspicious activities on your website or you would be just seeing some new users with no new activities
- It could be just the users with admin access or you would see a lot of users being added in your users’ panel.
We will see the solution to all of these problems.
So, the main question is why something like this happens? It is always the malicious code due to this the issue happens. There are good chances that the problem arises due to the vulnerable code or malicious code in your current WordPress installation. Therefore, there aren’t many things to worry about. This doesn’t mean that you can ignore the problem completely. You will have to solve this WordPress hacked issue where new and fake admins are added as soon as possible.
Here are a couple of reasons why new admin are added in your website
- You installed a plugin or theme from an unknown source. This could be a nulled plugin or theme. Alternatively, you would have downloaded it from the place which is not a trusted theme provider. Hence, this issue might have arisen
- If you gave your WordPress access to anyone else, they might have added the code
- You didn’t update your WordPress, theme, or plugin.
- Your web hosting provider was hacked. Hence, you should use secure hosting.
Whatever the reason is, we will see the competition for a guide to remove it.
Remove the admins
The first thing that we need to do is to remove the new admins before they start to make the changes in your WordPress website or take over your entire website. So, the first thing we will do is remove the admins. Many ways are using which you can easily. We will be talking about a couple of ways you can do so.
Remove from dashboard
The first and the easiest way to remove new admins is through your WordPress dashboard. If you have admin access then you can easily remove the new admins by logging in.
All you have to do is log in to your WordPress dashboard and then you need head over to Users > All Users where you will see the complete list of the admins. You can easily remove them and continue to the next step.
You can either filter out the users and remove all the admins except you or you can just mark the users and remove them.
Further, you can use plugins like Bulk delete to set certain conditions to delete users. It will help you to remove the users based on certain conditions. For instance, you can remove all the users or admins whose accounts were created after a certain date or at a certain date. This becomes very useful when you have a website with a large user base. The website will let you delete all the data easily without any issue.
Now, if you don’t have access to your WordPress panel, you can use this technique to delete all the admin users. Here, you will directly delete the users from the database. For that, you will have to log in to your cPanel or web hosting panel. Inside it, you will find an option for PhpMyAdmin. You need to click on it and then you will see various databases there.
You need to select your WordPress database from this. Now, you will have to find the table with the name wp_users. You will find all the users directly there. You can select the users and delete them.
Before you delete all the users, we will do a small step. This is where we will reset our password back to the original one. So, find your username in the user’s panel and do the following steps.
- Head over to your username and if you can’t find your username there, you can go to any admin username
- Click on the edit button right next to the username
- Now, you will have to go to the user_pass field. Select md5 from the dropdown
- Enter a new password in the password field
- Hit the go button and you are all set.
Now, you will see that the password has been changed to the new one. You can also change the user email and other stuff.
Scanning the website
The next step you need to take is to scan the website for viruses. We will see the exact way on how you can scan your website for viruses.
Here, there are two main ways we will scan the website. This will make sure that all the infected files are detected. In this way, you can fix the WordPress hacked issue easily.
Use the security plugin
We will use a security plugin here to scan the entire website. WordPress directory consists of many plugins that you can install. Some of the plugins are free whereas some of them are the premium ones.
You can use one of these plugins to find the malicious code on your website.
- iThemes Security
These plugins come with a security scanner that will scan your website. You can install and activate the plugin. Your next step would be to run a scan for your website. Make sure you scan the entire directory for the virus. In this way, you will find all the infected files. Most of these tools also have an exploit scanner. So, it will find security issues on your website.
Run the scan and wait till it completes. It will then show you the list of infected files. There will be an option to fix all the files. You can fix it and if the tool is not able to fix it, you can just list down the files. We will see it in the next section on how you can remove it.
Using a virus scanner
The next method we will use to scan the website is by using a virus scanner. Your cPanel or your hosting provider will have a virus scanner that you can use. You can head over to your cPanel and find the virus scanner option. From there, you need to run another scan. Make sure you click on the “Entire home directory”. It will scan all your websites and hence, it will take some time to complete the scan. You can exit the page and complete your other works. It will work on the server-side. Therefore, you don’t need to keep the page open.
The rest of the steps are the same as above. It will show you a list of infected files. There will be an option to fix the files. You can quarantine those files which will stop it from infecting.
However, if nothing works and you can’t remove the files. You need to remove the malicious code using a different method. So, first, make sure you have a list of infected files. You can then follow all the steps given below. We will now see how you can remove the malicious code from the website.
Removing the malicious code
Now, it is time to remove the code that has affected your entire website. We will see the exact method on how you can remove the code. There are a couple of ways you can do it.
Restore from the backup
One of the easiest ways you can get back your WordPress website is to restore the old backup. If you have taken the old backup, you can simply restore the backup and you will get your website as it was.
You need to restore the backup which was created before you installed any new plugins or themes. This might not be the most compatible way for most people are they might lose some of the important data.
Therefore, this is not a feasible method for many people. If you can’t use it, there is nothing to worry about. We will see another method using which you can do the whole process easier. This is where we will replace the files with the original one.
Replace the files
The next method you can use is to replace the files with the original ones. In the scanning phase, we listed out the infected files. So, here we will replace those files with the original version of the file.
All you need to do is download the files from the source. You can visit the theme or plugin provider’s website and download it from there. You will get a zip file. If you have downloaded it from the WordPress directory, you can open it from another tab and download it. Now, your next step will be to open the zip and find the files.
You will now have to replace the infected files with the original one. Make sure you take a backup of the file before you head over to the main file. The same applies to the core WordPress files.
If it doesn’t work, we have got the one last way to fix your website.
Fixing the files manually
The last step is where you will fix the files manually. You can open the infected files. You can either go to cPanel, right-click on the file and select code edit from there. The other way is to download the file and open it in an editor. Further, you should look for the infected code in the file.
It will be the encrypted code that is visible from the normal code. Usually, it is a bunch of letters mixed and it forms no sense. It is an encrypted code. You will have to remove the code to make sure that everything works fine.
After editing the code, save the file or upload the file back to your server.
Now, you will have to rescan the website to make sure that there are no more infected files. If you find one, repeat the same things.
Securing your website
Here are some of the security tips to follow which will safeguard your website in the future. As a result, new admins won’t be added on your WordPress website.
- Make sure you have an active security plugin which monitors your website
- Change the passwords of your WordPress panel, email, hosting account, FTP, SSH, etc.
- Remove the extra admin users
- Use strong password
- Make sure you only install the themes and plugins from a trusted and reliable source.
- Never use nulled or pirated plugins. Also, don’t use themes or plugins from an unknown source.
- Don’t give you admin access to unknown people.
- Delete the unwanted plugin
- Limit the login attempts
To conclude, this was all about how you can prevent the website from adding fake admin users. Make sure you follow all the steps to fix your website. Also, scan the website again to make sure that you have successfully cleaned the infected files. Also, follow all the security tips that we gave in the last. It will help you in securing your WordPress website.
How to Clean a Hacked WordPress Website using WP AOS?
WP AOS provides a risk-free WordPress malware removal service. 30 day money back guarantee, the most complete WordPress security plugin called iThemes Security Pro (worth $199 / year) + advanced security setup, and repeated hack protection for up to 1 year is included in the WordPress cleanup service. All of this has an industry best pricing – starting from
€ 222 / fixed website.
We value your time and thank you for reading our blog. So, we would like to show our appreciation by giving you an additional 10% discount on our malware removal service. Use coupon code WPAOSBLOG10 at the checkout.
WordPress Hacked? Malware Removal Service
Get your WordPress website fixed today.