Hacked ...

I've been hacked a few times recently by the same person/bot. I believe this was sql injection or something like that because I keep changing the admin credentials, even it's number from user 1 to something else and yet users credentials change to admin and are changed to user 1. I have done extensive cleaning, ect. I am seeing 3 super admins when I only have one and only one is showing in the members column. I need to find the 2nd and 3rd. I see upon attempting to delete accounts that two won't show up in the confirm page , yet are deleted in the column. I believe these are the two hacked accounts. I will delete them from phpmyadmin and see if they reappear in the next couple of days. I'm no longer using the original admin account as super admin, can I delete it as well?

Isn't this my hosts fault since they are clearly editing in phpmyadmin ? I don't have any evidence of database plugins being uploaded, how else could they be manipulating user accounts to "admin" and user 1?

  • ThePath
    • The Bug Hunter

    Hi Annabelle, thanks for being a member and for your post.

    Well its annoying to say the least getting hacked. It has happened to one of the sites I look after about 3 times in the past 2 years or so. Once due to an unsecure password and the other Im not sure possible an sql injection.

    Isn't this my hosts fault since they are clearly editing in phpmyadmin ?

    Not a hundred percent on what you mean by this. Your host may have created extra admin accounts to gain access to your admin to try and help you at some point? Even if you add accounts in phpmyadmin they will still appear in your WP admin and can be deleted from there also.

    If you mean the hackers are gaining access to your phpmyadmin then I see what you mean. But I wouldnt imagine this is happening unless your own hosting password is unsecure. Obviously it depends on who your host is but most are very secure these days.

    The hacks could come from an sql injection, the most likely culprit is a plugin. Unfortunately WP's greatest strength is also its greatest weakness. I would review your plugins and perhaps do a bit of research on them in Google to see if there is any vulnerabilities. It always help to get the latest WP and latest versions of your plugins too.

    Speak to your host though and do some research on them also. I can however recommend Heart Internet who are hot to trot on security.

    So to try and stop the hacks you can try:

    1. Review all your plugins and see if any have know vulnerabilities
    2. Update WP and plugins
    3. Speak to your host and ask what they do to help protect the sites hosted with them.
    4. Change your logins to everything!

    To asnwer your question if you have created a new super admin account then its safe to delete any others. Even if it deleted them all you could still create another in phpmyadmin.

    Well no complete solutions but I hope Ive helped a bit.

  • 3SixtyEvolve
    • New Recruit

    Hi Annabelle

    I really feel with you. It's not easy dealing with hackers and possible sql injection.

    @ThePath has given some excellent advice here, so I will just add to that...

    I previously did a bit of research on this subject - basically links that might help you to fix the sql injection and then be able to move your database successfully. This is what I came up with (I really hope this will help):


    I read through many pages and these were the best advice that I could find, so I hope this can assist you.

    Have a good day and let me know if you get sorted or if you need further support.


  • Annabelle
    • WPMU DEV Initiate

    I've done plethora of steps , and still add extra security as I go. This is still from the first hack I can tell. What I meant was yes, the hacker must have access to phpmyadmin somehow because this is the only place where user names and numbers can be changed. My password to my host has been changed and this is not a shared computer.

    For now I need to know how to fully delete the hacked WP user accounts. I have identified them but once deleted via admin or phpmyadmin , the amount of super admins still show even though the accounts were deleted. I'm positive of the two accounts that were hacked and although they no longer show in the column , they were not deleted because the confirm page did not show their details as well as the amount of super admins still shows 3.

  • Annabelle
    • WPMU DEV Initiate

    https://premium.wpmudev.org/forums/topic/hacked-need-new-bbconfig-buddypress-version is moved to here.

    K so redownloading the buddypress plugin to look through it's files I have the bbconfig and yeh the header part shouldn't be there. I'm also supposed to use both bb-config and bb-config -sample in specific places. I believe I deleted one when cleaning. I will also put a .htaccess for these files.

    Now still need to fully get rid of the two accounts that I tried to delete.

  • Annabelle
    • WPMU DEV Initiate

    Sigh, actually these two files were fine. Now I'm not even sure why I've had a bb-config in the root and it's currently set t to 666 . My forum posts were all deleted with this hack any way so I'll just delete the bb-config from the root and see what happens.

    Still need to fully get rid of the two accounts that I tried to delete.

  • ThePath
    • The Bug Hunter

    Hi Annabelle,

    Its a nightmare eh! People have nothing better to do than be destructive instead of creative.

    Anyway If you have deleted the admin accounts from the wp_users and wp_user_meta tables then the will no longer exist and allow access.

    You said:

    amount of super admins still shows 3

    This could be something youve missed in the wp_user_meta table or something in another table somewhere. I wouldnt worry to much about it. If in the DB there is only one super admin account and its yours then no worries!

    I take it that you dont have a handy backup just to redo everything.

    When I had similar issues I closed the offending hosting account on one server and opened it up again on another. But Im a host reseller so was kinda easy for me. Perhaps you could ask your host to move you to another server.

    I guess the other question is do you trust your host?

  • Annabelle
    • WPMU DEV Initiate

    I do have a backup but it's not as clean as the current, it was a backup just before the hack which I believe is also infected. I think this is my last issue with this hack.

    This could be something youve missed in the wp_user_meta table or something in another table somewhere.

    ...any suggestions on how to spot this?

    Thanks for suggesting that I ask to move to another server.

    Next, I need to Change table prefix in MU ( https://premium.wpmudev.org/forums/topic/change-table-prefix-in-mu). Would also like to get an email whenever some users name is changed to admin or user 1 , or a super admin has been created. I've stopped receiving the email for when admin password has been changed and would like to reactivate that somehow.

  • ThePath
    • The Bug Hunter

    Hi Annabelle,

    I should have asked this earlier but what version of WP, BP etc are you using? It always confuses me a little when people say "MU" as in the old WP multiuser. Its now WP Multisite.

    Anyway I just had a look in a similar DB of my own and you know from looking into the wp_users table the user ID's that were associated with the accounts you believe to be hacked.

    So say these ID's are 5 and 6. You would then open up the wp_usermeta table, you will see a user_id column, delete everything with the user ID of 5 and 6 (or what ever the offending user ID's were).

    I will look at your other thread now :wink:

  • 3SixtyEvolve
    • New Recruit

    Thank you @ThePath for your suggestion. I was actually going to suggest the same thing to Annabelle.


    Annabelle, I went into my cPanel to see how you would be able to get rid of the extra users and this would definitely be the way.

    I'm by no means super educated in terms of hacking, so won't be able to give you loads of advice there. But going into the DB and deleting it from there would be a good place to start.

    All the best and please let me know how you get on...


Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.