REPORTS FROM THE FUTURE

Remove Hidden Admin Users In WordPress

This video is 1280 x 720 – watch it in fullscreen to see the details.
MP4 Download

This is, sadly, a report about the present. I read reports yesterday about an attack on all versions of WordPress except the very latest – 2.8.4. I have a bunch of sites that I maintain and many of them were pretty easy to upgrade by using the built-in automatic upgrade feature. I also have a few sites that are old and inactive. Those needed to be upgraded by hand. The thing that I noticed on ALL of the sites that were not already running 2.8.4 was that they had hidden admin users on them. The sneaky thing about that is that you may not have any other symptoms besides these hidden accounts and then think you are safe once you’ve upgraded. The are, essentially, back doors left on your site to be exploited later. So you have to make sure to get rid of them. The process is a little tricky – at least it’s not a typical WordPress user operation so I’ve documented two ways to do it in this screencast.

More info:
Old WordPress Versions Under Attack
Wordpress Permalink & Rss problems
How to Keep WordPress Secure

This entry was written by Verdi, posted on September 6, 2009 at 1:19 pm, filed under The Web. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

11 Comments

Cheryl

Posted September 6, 2009 at 2:25 pm | Permalink

Very cool of you to post this, Verdi. Saw your tweet yesterday about lots of hidden admins and have been checking my older blogs via phpMyAdmin. Fortunately, none have turned up, but lots of people are going to need this tutorial.
Joly

Posted September 6, 2009 at 4:55 pm | Permalink

Yep I found one! Thanks.
kerry

Posted September 6, 2009 at 6:41 pm | Permalink

Wow. Wish I would have watched this yesterday. I deleted my entire site when I tried to upgrade. Have to start for scratch. sucks.
Bjørn

Posted September 7, 2009 at 3:53 am | Permalink

Thanks alot I found a little bugger! He is no more!
Great stuff!
John

Posted September 7, 2009 at 7:01 am | Permalink

We are running 2.71 and when I look at the source of the users page there is no code for superusers for any of the existing users.

Is there a different method for 2.71?

Also the auto-upgrades with WP are usually not a problem but if you are using plugins an upgrade may cause some plugins to fail if they are not compatible.
John

Posted September 7, 2009 at 7:08 am | Permalink

the other thing I noticed is that the only user that shows up on the source page with a class of administrator is our legitimate admin log on.

May be they fixed this in 2.71 or they hid it another way.
ryanne

Posted September 7, 2009 at 7:11 am | Permalink

so glad you showed this. i hadn’t seen any documentation of this. just that everyone had to update. didn’t know the fake users were hidden. yikes!
Verdi

Posted September 7, 2009 at 9:42 am | Permalink

John – it’s not fixed in 2.7.1. All versions except 2.8.4 are affected. They just haven’t gotten to you yet. I had 8 sites running old versions and 7 were affected.
duncan

Posted September 10, 2009 at 7:01 pm | Permalink

thanks so much for this little video
no hidden gems on my site yet (is that the ultimate sign of an unpopular sitem when even hackers don’t touch it?!!)

but i guess i should upgrade before they hunt me down
Daniel Dumas

Posted September 23, 2009 at 1:22 am | Permalink

Thanks for this mate! i have been looking for this since i noticed my blog has hidden admins i tried looking in phpMyAdmin and they are there but this method is alot easier,
EDBeale

Posted October 26, 2009 at 11:59 am | Permalink

Woot! Thanks so much!!!