New account made itself an admin

  • hey everyone,

    I was looking at my site recently and I noticed I had too many admins than I should. I looked back through my logs and noticed that someone (IPs from all other the world) is trying to log into our admin accounts and only the admin accounts multiple times a day… it doesn’t seem like they have ever succeeded but I saw that someone made a new account and somehow granted themselves as an admin. ill start with a picture of the logs and provide info as y’all need.

    I’m using Ultimate Member as my login/user management system.

    View post on imgur.com

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi, this is a common symptom of a hacked site. Most likely your site was hacked through a security issue in a plugin or theme that you had installed. Please contact your hosting provider to restore a backup of your site in order to get the healthy version running. After that update all your plugins and themes as well as WordPress itself. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    • This reply was modified 1 year, 5 months ago by !Benni.
    Thread Starter jaymemccolgan

    (@jaymemccolgan)

    Yeah I browsed though my WP folder and noticed some malicious files that were php backdoor files. There were several of them. I rolled everything back to a clean state except the database. Reset all important passwords just in case and installed Wordfence and a activity logger to hopefully catch this faster next time, which is causing it’s own issue but I’ll deal with that later.

    I didn’t roll back my database because there’s a lot of data I can’t really loose. Do y’all think it’s something I should look though. Would a hacker have made changes to the database? Should I change the database password?

    Also what’s the best way to start narrowing down which part of my site was infuriated.

    Wow you already dealt with it like a pro xD

    Depends on your host’s configuration – is the database reachable from the outside of your host’s network. You probably don’t know so, yeah you should also change the DB password.

    Maybe the hacker has already made posts and pages or changed anything else, you cannot know. It’s still best to restore a backup since all the data that you lose is only the data that you added between the backup til now.

    Investigating how the hacker got into your site is hard, you could start by checking wordfence’s known vulnerability database there you could search all your plugin’s and if one of the plugin’s that you have installed has a known vulnerability. If you find one then you can check if the vulnerability is already patched and update to the patched version.

    • This reply was modified 1 year, 5 months ago by !Benni.
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘New account made itself an admin’ is closed to new replies.