👤usuário admin desconhecido wordpress criado por hacker

WordPress Unknown Admin User Removal

Finding admin users you did not create in your WordPress dashboard is a clear sign your site has been compromised. Hackers create admin accounts to maintain persistent access even after the initial breach vector is closed.

⚡ Response in minutes🔒 No data loss🛠️ WP-CLI + FTP + SSH✅ Same-day fix🌎 Remote — works anywhere

Why Does This Error Happen?

Most common causes we diagnose:

▸Unauthenticated WordPress REST API exploitation (CVE in old version)

▸wp-cron.php or xmlrpc.php exploited to create accounts

▸Compromised plugin with user creation backdoor functionality

▸SQL injection into wp_users table bypassing WordPress auth

▸Compromised existing admin account used to create additional backdoor accounts

How We Fix It — Step by Step

Systematic, fast, and safe process:

Remove all unauthorized users immediately

Delete all admin users you did not create. Also check for editor and author roles with suspicious email addresses.

Change all remaining admin passwords

Immediately reset passwords for all legitimate admin accounts using strong, unique passwords with 2FA if possible.

Investigate and close the entry point

Check server logs for the REST API endpoint, xmlrpc.php calls, or SQL injection that created the unauthorized accounts, then block that entry point.

Dealing with this right now?

Our WordPress expert responds in minutes.

Frequently Asked Questions

QHow do hackers create admin users in WordPress without my password?

Several ways: exploiting unauthenticated REST API endpoints in old WordPress versions, using SQL injection, exploiting xmlrpc.php, or using a password reset token obtained via email compromise.

QIs it enough to just delete the unknown admin user?

No — the unknown admin is a symptom, not the cause. You must also find and close the security vulnerability that allowed the account to be created, otherwise new ones will appear.

QHow could a new admin user appear in my WordPress without me creating it?

Three main ways: an attacker exploited a plugin vulnerability (REST API, auth bypass) to call wp_insert_user; an attacker stole credentials and created the user manually; or a backdoor file silently calls user creation functions on demand.

QCan I just delete the unknown admin to fix the problem?

Removing the user is necessary but NOT sufficient. The vulnerability that allowed creation is still there. Without closing the entry point, the attacker creates a new admin within hours. Full hardening is required.

QHow do I tell if the unknown admin already changed things on my site?

Check: WordPress activity log plugins (Stream, WP Activity Log), wp_users registration date, recently modified theme/plugin files, new posts/pages, modified .htaccess. We do a comprehensive forensics audit.

QCan the unknown admin user have access to customer/payment data?

Yes. WordPress admin users have access to all user data (emails, addresses), order data, and any data plugins store. Assume sensitive data exposure when unknown admin existed for any duration.

QWill resetting all admin passwords prevent more unknown admins?

Partly. It cuts off any access via stolen passwords. But if the entry point is a plugin vulnerability or backdoor file, attackers create new admins without needing passwords. We close the actual vulnerability.

QHow do I find when the unknown admin was created and by whom?

wp_users.user_registered shows the timestamp. user_meta wp_capabilities shows when admin role was assigned. Server access logs around that time show the IP and user-agent of the request that created the user.

QCan the unknown admin be using a fake legitimate-looking name?

Yes. Common attacker tactics: names like 'wpsupport', 'admin2', 'backup', 'wp-admin', or your real name slightly modified. We compare against a baseline of known users you confirm.

QWill WordPress notify me when a new admin user is created?

Only if you have a security plugin or custom code for it. Default WordPress doesn't send admin creation notifications. We install monitoring that emails you instantly when any admin user is created.

QCan I find every privileged action the unknown admin took?

Limited without a pre-installed activity log. We can check: file modification timestamps within the user's active period, post/page audit logs (if WP Stream or similar was active), and wp_usermeta for tracked actions.

QShould I notify all real users when an unknown admin existed?

Yes — best practice. Send a security notification: brief description of the incident, what data may have been accessed, what you've done to fix it, and any recommended actions (password change, etc.). Transparency rebuilds trust.

QCan a database-only attack create admin users without any file changes?

Yes. SQL injection attacks can directly INSERT into wp_users and wp_usermeta tables, bypassing PHP entirely. We check for unusual database access patterns and lock down DB user permissions.

QWill reinstalling WordPress core remove unknown admin users?

No. Users live in the database, not in core files. Reinstalling core only updates wp-includes/wp-admin/index.php files. We remove unknown users via the wp_users table directly with WP-CLI or SQL.

QHow do I prevent unknown admin user creation in the future?

Five layers: 1) keep all plugins/themes updated, 2) install a WAF blocking REST API user creation from non-authenticated requests, 3) limit /wp-login.php to known IPs, 4) require 2FA for all admins, 5) enable activity log monitoring for instant alerts.