1000+ ‘Admin Users’

I just logged in into a client’s wp backend after a noticed a weird blog post. I checked the author name, and it was a name i didn’t recognize.
Went to check users, and there were 1000+ admins. This client rejected my suggestions to get wordfence and HideMyWpGhost last year after i recovered the site from a hack.
I am deleting the users, but what else do i do?

I’ll find time to go through plesk tomorrow see if there are any unusual new files

  1. Is the client paying you for maintenance? If so, insist on Wordfence. Or just install it anyways.

    Otherwise, charge for your time.

  2. If the client allows it, install the Members plugin and set up roles so that only users with a certain role can write/add blog posts or become admins. I would lock down the site au complet. But only after you’re sure the site isn’t hacked, of course.

    If your client isn’t listening to you, the problem will keep happening. Maybe you need to get them to sign a waiver that they refused to use a security plugin etc. Plus their hosting could kick them off if they’re not taking measures to keep the site secure.

  3. Does or did the site have elementor plugin installed?

    There was a notorious elementor hack that allowed admin creation.

  4. Oh man. This website and maybe the server are hosed.

    You need to do a merge and compare of all the files with an old backup. Winmerge

    But then you have to wonder if the server is compromised.

  5. IMHO you didn’t remove the ‘hack’ completely. Prob some obscure function stated behind that if someone visits domain.com/4÷×%<654=%>8>^%××@%8&<9(%’xvni8754edfyhgiigsdj8tfviudhj7nnfdcjid a new admin is created..


This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer