Your Dedicated Partner for All Things WordPress

WordPress Hacked: Admin Users Added – Fake or New Admin Users Added

Table of Contents

The real problem of WordPress hacked begins when there are new fake admins added in your WordPress panel. If you detected and eliminate this issue, there won’t be any more problems. Hence, your website is pretty much secure. Don’t forget that you should remove them immediately which you probably have already done. But removing them is not enough. You will have to prevent them from reading. Surely, you won’t be adding the admins. There is an automated code that does the entire thing by itself.

We will see a complete tutorial on how you can fix the WordPress hacked issue where fake or new admin users are added automatically.

WordPress hacked issue: New admin added

Let’s represent the issue first before we get into the method to remove the code. Here is what happens when your WordPress is hacked.

  • You will see new admin users in your admin panel. This might be genuine admin users or it could be some random email who has admin access to your WordPress website.
  • Thereafter, you might also see some of the suspicious activities on your website or you would be just seeing some new users with no new activities
  • It could be just the users with admin access or you would see a lot of users being added in your users’ panel.

We will see the solution to all of these problems.

So, the main question is why something like this happens? It is always the malicious code due to this the issue happens. There are good chances that the problem arises due to the vulnerable code or malicious code in your current WordPress installation. Therefore, there aren’t many things to worry about. This doesn’t mean that you can ignore the problem completely. You will have to solve this WordPress hacked issue where new and fake admins are added as soon as possible.

Here are a couple of reasons why new admin are added in your website

  • You installed a plugin or theme from an unknown source. This could be a nulled plugin or theme. Alternatively, you would have downloaded it from the place which is not a trusted theme provider. Hence, this issue might have arisen
  • If you gave your WordPress access to anyone else, they might have added the code
  • You didn’t update your WordPress, theme, or plugin.
  • Your web hosting provider was hacked. Hence, you should use secure hosting.

Whatever the reason is, we will see the competition for a guide to remove it.

Remove the admins

The first thing that we need to do is to remove the new admins before they start to make the changes in your WordPress website or take over your entire website. So, the first thing we will do is remove the admins. Many ways are using which you can easily. We will be talking about a couple of ways you can do so.

Remove from dashboard

The first and the easiest way to remove new admins is through your WordPress dashboard. If you have admin access then you can easily remove the new admins by logging in.

All you have to do is log in to your WordPress dashboard and then you need head over to Users > All Users where you will see the complete list of the admins. You can easily remove them and continue to the next step.

You can either filter out the users and remove all the admins except you or you can just mark the users and remove them.

Further, you can use plugins like Bulk delete to set certain conditions to delete users. It will help you to remove the users based on certain conditions. For instance, you can remove all the users or admins whose accounts were created after a certain date or at a certain date. This becomes very useful when you have a website with a large user base. The website will let you delete all the data easily without any issue.


Now, if you don’t have access to your WordPress panel, you can use this technique to delete all the admin users. Here, you will directly delete the users from the database. For that, you will have to log in to your cPanel or web hosting panel. Inside it, you will find an option for PhpMyAdmin. You need to click on it and then you will see various databases there.

You need to select your WordPress database from this. Now, you will have to find the table with the name wp_users. You will find all the users directly there. You can select the users and delete them.

Before you delete all the users, we will do a small step. This is where we will reset our password back to the original one. So, find your username in the user’s panel and do the following steps.

  • Head over to your username and if you can’t find your username there, you can go to any admin username
  • Click on the edit button right next to the username
  • Now, you will have to go to the user_pass field. Select md5 from the dropdown
  • Enter a new password in the password field
  • Hit the go button and you are all set.

Now, you will see that the password has been changed to the new one. You can also change the user email and other stuff.

Scanning the website

The next step you need to take is to scan the website for viruses. We will see the exact way on how you can scan your website for viruses.

Here, there are two main ways we will scan the website. This will make sure that all the infected files are detected. In this way, you can fix the WordPress hacked issue easily.

Use the security plugin

We will use a security plugin here to scan the entire website. WordPress directory consists of many plugins that you can install. Some of the plugins are free whereas some of them are the premium ones.

You can use one of these plugins to find the malicious code on your website.

  • WordFence
  • Sucuri
  • iThemes Security

These plugins come with a security scanner that will scan your website. You can install and activate the plugin. Your next step would be to run a scan for your website. Make sure you scan the entire directory for the virus. In this way, you will find all the infected files. Most of these tools also have an exploit scanner. So, it will find security issues on your website.

Run the scan and wait till it completes. It will then show you the list of infected files. There will be an option to fix all the files. You can fix it and if the tool is not able to fix it, you can just list down the files. We will see it in the next section on how you can remove it.

Using a virus scanner

The next method we will use to scan the website is by using a virus scanner. Your cPanel or your hosting provider will have a virus scanner that you can use. You can head over to your cPanel and find the virus scanner option. From there, you need to run another scan. Make sure you click on the “Entire home directory”. It will scan all your websites and hence, it will take some time to complete the scan. You can exit the page and complete your other works. It will work on the server-side. Therefore, you don’t need to keep the page open.

The rest of the steps are the same as above. It will show you a list of infected files. There will be an option to fix the files. You can quarantine those files which will stop it from infecting.

However, if nothing works and you can’t remove the files. You need to remove the malicious code using a different method. So, first, make sure you have a list of infected files. You can then follow all the steps given below. We will now see how you can remove the malicious code from the website.

Removing the malicious code

Now, it is time to remove the code that has affected your entire website. We will see the exact method on how you can remove the code. There are a couple of ways you can do it.

Restore from the backup

One of the easiest ways you can get back your WordPress website is to restore the old backup. If you have taken the old backup, you can simply restore the backup and you will get your website as it was.

You need to restore the backup which was created before you installed any new plugins or themes. This might not be the most compatible way for most people are they might lose some of the important data.

Therefore, this is not a feasible method for many people. If you can’t use it, there is nothing to worry about. We will see another method using which you can do the whole process easier. This is where we will replace the files with the original one.

Replace the files

The next method you can use is to replace the files with the original ones. In the scanning phase, we listed out the infected files. So, here we will replace those files with the original version of the file.

All you need to do is download the files from the source. You can visit the theme or plugin provider’s website and download it from there. You will get a zip file. If you have downloaded it from the WordPress directory, you can open it from another tab and download it. Now, your next step will be to open the zip and find the files.

You will now have to replace the infected files with the original one. Make sure you take a backup of the file before you head over to the main file. The same applies to the core WordPress files.

If it doesn’t work, we have got the one last way to fix your website.

Fixing the files manually

The last step is where you will fix the files manually. You can open the infected files. You can either go to cPanel, right-click on the file and select code edit from there. The other way is to download the file and open it in an editor. Further, you should look for the infected code in the file.

It will be the encrypted code that is visible from the normal code. Usually, it is a bunch of letters mixed and it forms no sense. It is an encrypted code. You will have to remove the code to make sure that everything works fine.

After editing the code, save the file or upload the file back to your server.

Now, you will have to rescan the website to make sure that there are no more infected files. If you find one, repeat the same things.

Securing your website

Here are some of the security tips to follow which will safeguard your website in the future. As a result, new admins won’t be added on your WordPress website.

  • Make sure you have an active security plugin which monitors your website
  • Change the passwords of your WordPress panel, email, hosting account, FTP, SSH, etc.
  • Remove the extra admin users
  • Use strong password
  • Make sure you only install the themes and plugins from a trusted and reliable source.
  • Never use nulled or pirated plugins. Also, don’t use themes or plugins from an unknown source.
  • Don’t give you admin access to unknown people.
  • Delete the unwanted plugin
  • Limit the login attempts

Final words

To conclude, this was all about how you can prevent the website from adding fake admin users. Make sure you follow all the steps to fix your website. Also, scan the website again to make sure that you have successfully cleaned the infected files. Also, follow all the security tips that we gave in the last. It will help you in securing your WordPress website.

How to Clean a Hacked WordPress Website using WPServices?

WPServices provides a risk-free WordPress malware removal service. 30 day money back guarantee, the most complete WordPress security plugin called iThemes Security Pro (worth $199 / year) + advanced security setup, and repeated hack protection for up to 1 year is included in the WordPress cleanup service. All of this has an industry best pricing – starting from / fixed website.

We value your time and thank you for reading our blog. So, we would like to show our appreciation by giving you an additional 10% discount on our malware removal service. Use coupon code WPAOSBLOG10 at the checkout.

Frequently asked questions

How can I prevent unauthorized access to my WordPress site and protect against hackers adding fake admin users?

Implementing strong security measures is essential to prevent unauthorized access to your WordPress site and protect against hackers adding fake admin users. This includes using complex passwords, implementing two-factor authentication, regularly updating WordPress core, themes, and plugins, and installing a security plugin to monitor and block suspicious activities.

If I suspect my WordPress site has been hacked and fake admin users have been added, what steps should I take to regain control and secure my site?

If you suspect your WordPress site has been hacked and fake admin users have been added, it’s crucial to take immediate action to regain control and secure your site. Start by changing all passwords associated with your site, including those for admin accounts, FTP, and hosting control panels. Then, scan your site for malware using a security plugin, remove any suspicious files or scripts, and update all themes and plugins to their latest versions. Finally, consider contacting your hosting provider or a security expert for further assistance and advice.

Can fake admin users added by hackers cause any additional security risks or vulnerabilities on my WordPress site?

Fake admin users added by hackers can pose significant security risks and vulnerabilities on your WordPress site. These fake accounts can be used to carry out malicious activities such as installing malware, injecting malicious code, or stealing sensitive information. Additionally, fake admin users may have elevated privileges that allow them to access and modify critical settings or data within your site. Therefore, it’s essential to identify and remove these fake accounts promptly to mitigate any potential damage or compromise to your site’s security.

Are there any warning signs or indicators that my WordPress site may have been hacked or compromised by fake admin users?

Several warning signs or indicators may suggest that your WordPress site has been hacked or compromised by fake admin users. These include unusual or unauthorized changes to user accounts, unfamiliar admin users added to your site, unexpected modifications to site settings or content, suspicious activity logs or error messages, and sudden decreases in site performance or search engine rankings. If you notice any of these signs, it’s essential to investigate further and take immediate action to secure your site.

How can I strengthen the security of my WordPress site to prevent future hacking attempts and unauthorized access by fake admin users?

To strengthen the security of your WordPress site and prevent future hacking attempts and unauthorized access by fake admin users, consider implementing the following measures:

  • Regularly update WordPress core, themes, and plugins to their latest versions.
  • Use strong, unique passwords for all user accounts and implement two-factor authentication.
  • Install a reputable security plugin to monitor and block suspicious activities, such as login attempts and file modifications.
  • Limit access to the WordPress admin area by IP address or through a VPN.
  • Implement a web application firewall (WAF) to protect against malicious attacks and traffic.
  • Regularly backup your site’s files and database and store backups securely offsite.
  • Educate yourself and your team about common security threats and best practices for maintaining a secure WordPress site.

How to get started?

Learn more

WordPress Hacked?

Get your WordPress website fixed today!

Get Started

WordPress Maintenance

Save 33% with our Annual pricing plan.

Get Started

Coupon Code Applied!

Take your time and continue browsing our services.

Alexey Seryapin
Founder of WPServices