What can be done if a hacker takes over the admin account?

Security seems to be a big topic recently in the Wordpress community and I am preparing for various situations. The question is what can be done if a hacker hypothetically gets control over the admin account?

  • espsjurs
    • The Incredible Code Injector

    First of all you should always delete the standard admin account. But first you have to create a new one and log in with the new one, then delete the 'admin' account..

    The attack a few months back was done by a massive admin account login boot. The 'admin' user was tried with a list of known simple and not so simple password..

  • Decura
    • The Bug Hunter

    @espsjurs

    Perhaps I was not clear before. The first account with administrator access on my sites is not named 'admin'. My hosting provider has an option to name the admin account something else during the one-click installation. I am thus wondering if there is a reason beside the 'admin' name?

  • Tom Eagles
    • Syntax Hero

    @Decura

    This is why backups are so critical, I use backupbuddy. This allows a rapid reinstall using a new database and mysql username. zap the trashed (hacked site) use the restore option and ya good to go, obviously change all admin usernames passwords etc.

    Cheers

  • Imperative Ideas
    • HummingBird

    This is a crazy set of answers.

    Decura, follow these steps.

    1. Create a new WordPress, locally, using the same SALT hash as your current site (it's in wp-config.php)

    2. Create an administrative user with the exact same name as the compromised one

    3. In wp_users, copy the "user_pass" hash

    4. In your live DB, replace the hash of the compromised user with the new one

    Presto, you are now back in control.

  • paul_pichugin7
    • WPMU DEV Initiate

    I've had the unfortunate experience of having to recover a hacked wordpress install.

    I had to log into my cPanel / phpMyAdmin, find the admin account in the SQL, clear out the password and put in a new one with the hash.

    While you are in there, make sure you change the admin account email address, this is usually one of the first things hackers change after compromising a system.

    I then log into wordpress and check for any extra admin accounts that they may have created, check if they've created any content (pages/posts/media) and remove it.

    The final step is trying to figure out how they got access and preventing it from happening again.

    One of the common things they do is upload a back door shell script that gives them free reign on the sever, and in some shared hosting setups, can actually spread from site to site. Typical suspect is c99shell. I manually check the directories for this, but I'm sure there is a tool out there or WP Plugin that will scan for it.

    Regards

    Paul

  • lol
    • The Incredible Code Injector

    Hi all,

    I bounced here after being invited by @Decura. :wink:

    As @Tom Eagles said backups are essential. +1000!

    And it's so easy to crush a compromise site with a clean backup (must be sure the backup itself is not compromised ...)

    I keep 15 days of automatic backups (on another server, and on a remote ftp).

    At worst actually, the easiest way is to access the SQL database itself to change the admin password (even if it is only the email).

    But... a compromised site can never be considered healthy.

    I was hacked once in justhost I was hosting unknowingly a link farm in a subdirectory ... The hacker had intercepted (I always suspected justhost have leaked) my FTP account.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.