If users with administrator permissions are being created without your authorization on your WordPress site updated to the latest version, it is likely that your installation has been compromised. These types of security breaches are critical and must be addressed immediately to avoid greater damage, such as losing control of the site or information theft.
Below, we explain step by step how to fix this issue and prevent future attacks.
1. Change all passwords.
The first step is to make sure that no attacker can continue accessing your system.
- Change the WordPress admin password.
- Change the database user password (MySQL).
- Change the FTP/SFTP access passwords.
- Change the hosting control panel password (such as cPanel, Plesk, DirectAdmin, or InterWorx).
2. Remove suspicious users.
Access the section Users > All Users In the WordPress admin panel, go to Users > All Users. Verify each user with an admin role. Delete any account you don't recognize or that has strange or suspicious names.
3. Review the file functions.php
The file functions.php the active theme file is one of the places where attackers often insert code to create users automatically.
- Access
wp-content/themes/como-hayas-llamado-al-child-theme/functions.php. - Look for functions like
wp_create_user,create_user,add_user_to_blog, o similares. - If you find code that you didn't add, delete it immediately after making a backup.
4. Reinstall WordPress
Even if your installation is up to date, the WordPress core files may have been modified. To make sure they are clean:
- Go to Dashboard > Updates.
- Click the "Reinstall Now" button.
This will replace the core files without affecting your content.
5. Scan the site for malware
Use a security plugin to scan your site for malicious files or suspicious behaviors. Some recommended options are:
These plugins can detect backdoors, modified files, and scripts that allow the creation of unauthorized users.
You can also contact a company specialized in Development and Security in WordPress, such as Impulsa3.Our technicians will help you regain control of your website.
6. Manually review the site files
Some attackers insert scripts in uncommon locations. Carefully examine:
wp-config.php.htaccess- Files in
wp-content/themes/andwp-content/plugins/ - Files with strange names or recently modified
It is also recommended to review the content of the file uploads, although it should normally not contain executable scripts.
7. Review the access logs
If your server has access logs enabled, review the IP addresses and the URLs recently requested. This will allow you to identify attack patterns and potential entry points.
8. Disable user registration if you don't need it.
Many sites do not require visitors to register. To prevent attackers from exploiting registration forms:
- Go to Settings > General.
- Make sure the "Anyone can register" option is disabled.
9. Implement a Web Application Firewall (WAF)
A Web Application Firewall helps block attacks before they reach WordPress. Some options are:
- Cloudflare (with security rules enabled)
- Sucuri Firewall
These services also offer protection against DDoS attacks and automated scans.
10. Set up two-factor authentication (2FA)
Enabling two-factor authentication for administrators and users with high-level permissions adds an extra layer of security. You can use plugins such as:
- Wordfence (includes integrated 2FA)
- WP 2FA
11. Keep WordPress, plugins, and themes up to date
It is essential to keep the entire ecosystem up to date to fix known vulnerabilities. Enable automatic updates or perform regular checks on:
- WordPress core
- Plugins
- Themes
12. Change the database table prefix
During installation, WordPress uses the default prefix wp_ for the tables. Changing this prefix makes some automated attacks more difficult.
This change requires editing the file wp-config.php and all the tables in the database, so it is recommended to make a backup before proceeding.
13. Restore a clean backup
If you have access to a backup from before the issue, consider restoring it. Make sure to clean any malicious code before bringing the site back online.
Conclusion
The appearance of unauthorized admin users in WordPress is a clear sign that your site has been compromised. Acting quickly is key to containing the damage, removing backdoors, and preventing future attacks. In addition to fixing the current issue, it is essential to implement permanent security measures to protect your site in the long term.
An aspect that many users overlook is the unnecessary exposure of real usernames through SEO tools. For example, if you use plugins like YoastSEOmake sure to disable the author sitemap if your site doesn't have multiple contributors or you don't need to display author pages publicly. Publishing these sitemaps can allow attackers to easily identify valid usernames in the system, which facilitates brute force attacks. brute force or user enumeration.
Security in WordPress is not only based on tools but also on proper configuration and continuous monitoring of the environment. Regularly review configurations, logs, and access to ensure your site is proactively protected.
