I recently logged into the WordPress dashboard for my eCommerce site and discovered several Administrator accounts that neither my business partner nor I created. We haven't checked the user list in months, so these accounts might have been around for a while. Strangely, the site seems to be functioning normally, but I'm concerned. Here are some details:
- I had installed a plugin called File Manager Advanced earlier, which I've since learned has a troubling history of security issues.
- We also had many outdated plugins and themes at the time we noticed the problem.
- While the store appears to be operating without any unusual orders, I want to understand how serious this could be and the right steps to take for a cleanup without disrupting our eCommerce setup.
Given all this, I have several questions:
1. Does the presence of unknown Administrator accounts definitely mean my site was hacked, or could there be a legitimate explanation?
2. What key areas should I inspect to check for any hidden backdoors?
3. Should I examine theme files, the uploads directory, scheduled tasks, or the database user table for suspicious activity?
4. Is it enough to just delete the rogue accounts, change passwords, run Wordfence, and regenerate SALT keys, or should I consider doing a complete reinstall of the WordPress core?
5. Is the File Manager Advanced plugin a likely entry point for an attack in this situation?
6. I would love to hear from anyone who's dealt with similar silent compromises. I really want to fix this properly without messing up the store.
Thanks for your help!
4 Answers
First, take a full backup of all your files and database and store it on an external drive or USB stick. Then, follow through with the advice here: reinstall everything using the latest versions and make sure plugins are verified. Changing passwords and adding multi-factor authentication (MFA) is also a smart move to add extra security.
Agreed! Backups are the first step in protecting your data.
Don’t just think about cleaning; you should 'nuke it' from orbit! Once you see unknown accounts, it's time to wipe everything. Create a fresh WordPress installation, verify all plugins are secure, and meticulously check your backups for clean data before restoring anything. Worrying about 'breaking the store' should be your least concern when security is at risk; your store is compromised already.
Exactly! Starting fresh is the best way to ensure everything is safe.
Couldn’t agree more! Security must come first.
This situation sounds like a major red flag! You've likely encountered a compromise. Those Administrator accounts are probably from different attackers exploiting vulnerabilities, especially if plugins were outdated. Given that the File Manager Advanced plugin has a shady history, it's a huge suspect here. You can't really check existing files reliably for breaches, so I recommend a complete reinstall of WordPress along with your themes and plugins, then import your database and media folder. Just make sure to clean your uploads directory thoroughly beforehand.
Exactly! It's better to play it safe and start fresh rather than risk lurking backdoors.
Totally agree, starting fresh is the way to go. You can't be too careful with these things.
1. Yes, it likely confirms that your site has been hacked. 2. Expect backdoors left behind. 3. You can sift through files, but it’s tricky. 4. A full reinstall is best to be certain. If vulnerable plugins are involved, assume the worst. 5. Yes, File Manager can be an attack vector, but any outdated plugin poses risks. 6. If you can, consider rebuilding the site on a fresh server with updated tools to fully mitigate threats. Expect that your customer data may be compromised.
Definitely! Starting over is tough but necessary.
Always better to be safe! Automated attacks can be nasty.
A backup is crucial! You can never be too careful.