Remove Hidden Admin Users In WordPress

This video is 1280 x 720 – watch it in fullscreen to see the details.

This is, sadly, a report about the present. I read reports yesterday about an attack on all versions of WordPress except the very latest – 2.8.4. I have a bunch of sites that I maintain and many of them were pretty easy to upgrade by using the built-in automatic upgrade feature. I also have a few sites that are old and inactive. Those needed to be upgraded by hand. The thing that I noticed on ALL of the sites that were not already running 2.8.4 was that they had hidden admin users on them. The sneaky thing about that is that you may not have any other symptoms besides these hidden accounts and then think you are safe once you’ve upgraded. The are, essentially, back doors left on your site to be exploited later. So you have to make sure to get rid of them. The process is a little tricky – at least it’s not a typical WordPress user operation so I’ve documented two ways to do it in this screencast.

More info:
Old WordPress Versions Under Attack
WordPress Permalink & Rss problems
How to Keep WordPress Secure


14 thoughts on “Remove Hidden Admin Users In WordPress”

  1. Very cool of you to post this, Verdi. Saw your tweet yesterday about lots of hidden admins and have been checking my older blogs via phpMyAdmin. Fortunately, none have turned up, but lots of people are going to need this tutorial.

  2. We are running 2.71 and when I look at the source of the users page there is no code for superusers for any of the existing users.

    Is there a different method for 2.71?

    Also the auto-upgrades with WP are usually not a problem but if you are using plugins an upgrade may cause some plugins to fail if they are not compatible.

  3. the other thing I noticed is that the only user that shows up on the source page with a class of administrator is our legitimate admin log on.

    May be they fixed this in 2.71 or they hid it another way.

  4. John – it’s not fixed in 2.7.1. All versions except 2.8.4 are affected. They just haven’t gotten to you yet. I had 8 sites running old versions and 7 were affected.

  5. thanks so much for this little video 🙂
    no hidden gems on my site yet (is that the ultimate sign of an unpopular sitem when even hackers don’t touch it?!!)

    but i guess i should upgrade before they hunt me down 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s