Username Changed To Monkey

You may have been hacked, or someone else who has admin access to your site may be playing with you.

I’d assume the worst — that your site is hacked.

Create a NEW admin user ID for yourself. Log out and login as that user, then delete the ‘monkey’ id. (Transfer any content to your new ID.)

Install the plugin “WordFence” and scan your site.

Then….

Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

Hi Steve,

Thank you for the quick response. I am the only user/admin on the site so I suppose I must have been hacked then. Yet, I still don’t understand how they were able to change the username, and as far as I can currently tell, nothing else has been touched or changed except for the username, which is a sigh of relief, yet still quite odd. I am in the process of creating a new username and transferring my data now, following along with your above suggestions. Thank you! I also ran my site through the sucuri site scan but it says my site is not blacklisted and has no malware or spam. Definitely an odd occurrence to have this happen but hopefully no harm was done.

Also, I already have and am using the wordfence security plugin so that makes this whole situation incredibly more confusing. The only change I know of to make at this time (after creating a new username and transferring my content) is to simply make a new, stronger password. Other than that, I am at a loss. :/

Change the password for your hosting login, too. On the WordFence scan options, make sure most of the options are checked. Be aggressive with the scan.

Thank you, I have done all the fixes suggested. Hopefully this won’t happen again. Whoever was ‘monkeying’ around on my site will hopefully stay away now haha. Thanks so much for all your help! ??

Hi, I just noticed the same issue on two of my sites. Not sure how it happened yet. But I can tell you that they added cgi.php and redirect.php files in the WordPress root folder.

They both got hacked on Jan 11th.

Also, some large (20mb+) and random character named files in wp-admin

Dear seedsca, you have me worried now about whether I may have missed some sort of code ‘injection’ into my site files as well. I’m still learning how to operate a fully-functioning website and am not exactly sure how to check for this. I ran site scans and removed/improved upon what I could but I still worry about what I may have missed, or what my security plugins may have missed, haha. May I ask how exactly you check for this kind of thing and how you discovered you had random files added? ??

The basic of it is searching with plugins for things and manually. Through the command line (ssh) or an FTP program.

I use i-themes and sucuri. But most security plugins should be good for this. Not fun! Sorry

Thanks for the quick response. I hope I was able to find all instances of malicious intent. I appreciate the feedback! ??

I just wanted to comment that this same exact thing happened to one of the few sites I still had on cheap Bluehost managed hosting. I have been migrating people off to more secure hosting but had not gotten to this one yet. Like you, I had Wordfence and was using the latest version of WordPress. There were a couple of plugins out of date but nothing with a security warning. The theme is old and no longer supported, so I am wondering if that was the issue. I changed all passwords and moved to a new host.

If anyone has experience with this I would be interested in hearing it.