Website hacked and user keeps reappearing

Jonathan Duane
Jonathan Duane used Ask the Experts™
Hi Guys, i have a website and it got hacked. i have since hardened it up with a few different plugins, however i cant delete a user from Wordpress, it has admin roles, i have also tried deleting the user from phpmyadmin, i then notice that it reappears every few mins.

Any idea what to do?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Check cron service start scripts,
Check all admin users, change password.
Limit admin accesss in Wordpress to ...

You are not providing much to go on.
Check cgi-bin to make sure .....


Ok, how can i check cron service start scripts?

I have checked all admin users, i have it down to one, i have deleted original "admin account" and created a new one

can i limit wordpress to just one login? where will i check cgi-bin?


here is the wp_users table, everytime i try and delete the wordcamp one it will just reappear.

I have checked all cron jobs and nothing seems to be out of order
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

First thing I would do is make sure WP is updated to the latest version.

Second, disable all plugins, and I mean ALL. Then remove the user again and see if it reappears after a few minutes. If it doesn't, start re-enabling plugins starting with the security ones. Do them one at a time, and wait a few minutes after each one. If the user re-appears after a certain plugin has been enabled, then disable the last 3 plugins you did, delete the user again and verify that it doesn't reappear. Then enable all the other plugins except for the disabled 3 and then provide the names and versions of those 3 plugins here.

Third, check the access log and look for any POST entries that aren't coming from your IP, or any GET requests with strange query strings. There may be several legitimate ones in the log but look for IP addresses that are repeating over time. That may indicate a vulnerable page or plugin or theme.

Fourth, disable the xmlrpc API for WordPress unless you're using it.
As a fallback, if you can't get things fixed, you can also just change the password on that account (just edit the password in phpmyadmin and remove some of the characters to intentionally corrupt it). If there is a vulnerability related to inserting that specific username, then that could prevent the usage of the account while you get it figured out.
David FavorFractional CTO
Distinguished Expert 2018

Cleansing a site of hacks can be a long process... requiring many steps...

For example, if there's an old version of PHP running which is hackable... or FTP is running which is hackable... or WordPress is running using HTTP rather than HTTPS which is hackable...

All entry points must be closed before starting with WordPress.

As a first step, provide a clickable URL of your site.

Any updates?

The question was closed as answered - does that mean the problem is solved? I'm always curious to know the resolution.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial