wordpress hacked, how did this happen?

the scammer has access to the host server, so the database/ftp…
…somehow, she (yes she) was able to create a new user in wordpress (ok you can just go ahead and register a new account), but somehow set that new user to admin, and change my original admin password/email so i no longer have access.

All other issues aside, that’s the answer to your question. Access to your database and ftp account pretty much means full control over your WordPress installation.

is it easy? with database/ftp access to do that?

Literally a 5 minute process for someone who has been given access (username and password) to your hosting account, and is familiar with WordPress installation and administration.

can you teach me how to do it?

is there anyway to prevent it?

is there anyway to prevent it?

Learn a little about how ftp accounts, database administration, and securing your hosting account access and credentials work.

If the hosting account is yours, and you pay the bills, then you can log into your cPanel or whatever hosting account control panel your host offers, and immediately change your hosting account password. Then do the same for all existing ftp accounts.

If you own the account, take it back. Remove all possibility that anyone other than yourself has any access to your hosting account. If you are unsure how to do that, contact the support group at your hosting service and have them help you secure all access points to your account. But that still does nothing to secure your actual WordPress admin or user accounts.

After your hosting account is secured, take back the WordPress administrator account by using one of the methods described in the instructions for resetting the admin password – found here Resetting Your Password – then log into your WordPress site and remove or demote any other administrative users. Perhaps the support staff at your host would be willing to help you with that as well.

All of this only applies if you own the hosting account in question, and the rest of the server isn’t under the control of someone who can simply lock you out (like on a private server that’s owned by the person you’ve been working with).

Good luck.

how? i specifically want to know how someone can create a new user in wordpress and set change any original user’s password/email with web host access (ftp/cpanel/sql) only. i am somewhat familiar with php/sql, but i don’t know how to do it. this is for educational purposes only. like what specific row/table/etc do i look at?

thanks for your advice to fix it, a lot of good info there, but i am already aware of those. i’m asking is there anything from a wordpress end to prevent someone from doing so. i use to run my own webhosting company and have designed over 100 sites with wordpress for clients, so not a complete n00b ?? this is just the first time this has ever happened to me

thanks again

i specifically want to know how someone can create a new user in wordpress and set change any original user’s password/email with web host access (ftp/cpanel/sql) only

If you’re looking for the specifics of a step by step tutorial, then go to the link I posted above and view the section on how to reset the password directly from the database. There’s also information there about resetting the password without database access (requires ftp access) There’s also an overabundance of searchable discussions on the topic here in the forums. Then familiarize yourself with the WordPress Database structure if you like.

i use to run my own webhosting company

Then I’m a bit surprised that you seem surprised by the implications of giving someone access to a database, or file access via ftp … or your hosting account credentials.

Well, we’ve gone from being “Hacked” and “Scammed”, to information for educational purposes, so on that note I’ll point you to the Codex Main page where, when combined with the search feature, you can navigate your way through almost anything you want to know about WordPress. Good luck to you!