Hidden Administrator user?

What’s going on? Short answer – your WordPress account has been hacked.

More than likely you have been running an old version (ie not the current one) and you have succumbed to an exploit.

The two telling signs is that you have two administrator users (one that ou cannot see), and that your permalink structure has changed. There are other things as well but they are the two main ones.

More detailed discussion can be read about it here.

First and foremost, you should be making sure you have a backup of all your files and SQL database (it should be a regular thing anyway!) before making any changes.

Note: All care but no responsibility is taken with the accuracy of this post.

To find the hidden user, go to the /wp-admin/users.php page and click the link near the top of the page to view only Administrators. The page will not show the hidden administrator, but you can “view source” of this page, and you’ll find the additional username somewhere in the HTML. The key thing to find is the user id, which then can be used with the following URL (substituting the hacker’s user id for xx):


Once you’re in the page to edit the user, you can change its role back to ‘Subscriber’ and delete the bogus ‘first name’ field. (Also you’ll have to insert an email address so that you can save your changes – just enter any old email address) After saving the changes, return to the normal user list, and select this user and delete it.

Upgrade your WordPress to the latest version, and don’t forget to change your permalink structure. I would also suggest changing your admin password, and having a read of this page to consider other actions to secure your wordpress install.

Finally, thanks to the guys at NachoTech. The post there helped me sort out and fix my WP issues without any loss of data.

Tags: , , ,
Previous Post

We are now iPhone friendly

Next Post

Windows 7 trial


    • jenny
    • December 14, 2011

    Our site was hacked and there was a hidden Admin user Tried what you suggested but had no joy
    -eventually went into Mysql database and changed my “admin” ID from ID=2 to ID=1 and that resulted in having a hiddem subscriber instead of a hidden admin
    SO then I went back to Mysql DB and deleted the “subscriber”
    – did a search in cpanel/file manager and found that they had added .htaccess files everywhere – in wp-includes folders and plugins folders
    hope this helps someone and saves them the four hours I spent !!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.