What this problem is
You find user accounts you did not create, often with administrator privileges.
Why it happens
- Compromised admin credentials
- Vulnerable plugin/theme allows privilege escalation
- Stolen hosting credentials (FTP) used to inject code
Prerequisites
- wp-admin access (or database access if admin is compromised)
- Logs access (recommended)
Diagnosis
Check user creation dates, IP logs (if available), and whether the accounts reappear after deletion.
Detailed steps
Step 1) Immediately remove unknown users
Delete the accounts and reassign content if needed.
Step 2) Reset all admin passwords and enable 2FA
Force password resets for privileged users.
Step 3) Update and scan
Update WordPress/plugins/themes and scan for malware/backdoors. Check for modified files in plugins/themes.
Step 4) Check database and wp-config.php
Look for injected code and regenerate SALT keys.
Expected results
- Unknown accounts removed and site secured
What to do if it fails
- If users reappear, the site still has a backdoor. Restore from a clean backup and patch the vulnerability.
Best practices
- Use least privilege, 2FA, and limit admin users to the minimum