Unknown admin account on WordPress

You open your WordPress user list and find an admin account you don’t recognize: a name you never typed, an email address that isn’t yours, a registration dated a few days ago. This isn’t a display glitch or a forgotten former coworker. An unknown admin account on WordPress is one of the clearest signs of a hack, and it calls for a precise response, not a quick delete.

where this account you never created comes from

Three mechanisms explain almost every case.

Exploited open registration. If the “anyone can register” option is on and the default role has been tampered with, an attacker can create an account and then bump it up the ranks. Even without open registration, some form or membership plugins let unintended signups slip through.

Privilege escalation through a vulnerable plugin. This is the most common scenario. A flaw in a plugin or theme lets an ordinary visitor promote themselves to administrator, or create an admin account directly. The account then looks legitimate to WordPress.

Direct injection into the database. When the attacker already has a foothold in the database (through another flaw, or stolen access to phpMyAdmin), they insert a row into the wp_users table and assign it the administrator role in wp_usermeta. No trace in the login logs: the account simply appeared.

In all three cases, the result is the same: someone else has full control over your site.

deleting the account isn’t enough

This is the most important point, and the one most people miss. You spot the account, you delete it, you feel relieved. But an attacker who managed to create an admin almost always left another way in: a backdoor in a .php file, a scheduled task, a second hidden account. A few hours later, a new admin reappears.

Deleting the account treats the visible symptom. You also have to cut off the access that allowed it to be created. In practice, that means chaining together the account removal, a change of every password, closing open sessions, then a full cleanup of the site. Skip a step and you leave the door ajar.

If you want the full picture, see the other signs of a hacked site: an unknown account rarely comes alone.

spotting the account in Users

Log in to /wp-admin, go to Users, then filter by the Administrator role. Look for:

• a username you didn’t create, often a random string of characters;
• an unknown email address, sometimes on a sketchy domain;
• a recent registration date that doesn’t match anything you did.

Make a note of the username and email before you touch anything: you’ll use them to cross-check against the database later.

watch out for hidden accounts

A careful attacker makes sure their account doesn’t show up in this list. Injected code (in the theme’s functions.php, in a fake plugin, or through a WordPress filter) hides the account from the admin display while keeping it fully functional. You see nothing under Users, and yet the admin exists.

The only reliable way to flush them out is to look at the wp_users table directly in the database. Open phpMyAdmin from your host, select your site’s database, and list the administrators with this query:

SELECT u.ID, u.user_login, u.user_email, u.user_registered
FROM wp_users u
INNER JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities'
  AND m.meta_value LIKE '%administrator%';

If your table prefix isn’t wp_ (check the $table_prefix line in wp-config.php), adjust wp_users, wp_usermeta, and wp_capabilities accordingly, for example xyz_users and xyz_capabilities.

Compare the result with the admin list. Any account present in the database but missing from the Users screen is hidden on purpose: that’s direct confirmation of a hack.

removing it cleanly, without losing content

When you delete an account that has published posts, pages, or products, WordPress asks what to do with that content. Choose Attribute all content to and select a legitimate account (your own). If you check “delete all content,” you risk wiping out real publications the attacker may have edited or signed.

For a hidden account spotted only in the database, don’t delete it by hand in phpMyAdmin unless you know what you’re doing: you have to clean up both wp_users and the related rows in wp_usermeta. The safest approach is to first neutralize the code that hides it (see the cleanup below) so the account reappears in the admin, then delete it normally with content reassignment.

changing passwords and regenerating the security keys

Once the rogue account or accounts are gone, close off every existing point of access.

Change the password on each legitimate admin account, with a long, unique password. While you’re at it, check that no subscriber or contributor has been promoted to administrator: in the user list, go through the other roles and confirm nobody has a level they shouldn’t.

Next, regenerate the security keys (salts) in wp-config.php. These keys sign the session cookies: changing them instantly logs everyone out, including any attacker with an open session. Go to the official generator at api.wordpress.org/secret-key/1.1/salt, copy the block it generates, and replace the matching lines in wp-config.php:

define('AUTH_KEY',         '...');
define('SECURE_AUTH_KEY',  '...');
define('LOGGED_IN_KEY',    '...');
define('NONCE_KEY',        '...');
define('AUTH_SALT',        '...');
define('SECURE_AUTH_SALT', '...');
define('LOGGED_IN_SALT',   '...');
define('NONCE_SALT',       '...');

Paste the eight new lines in place of the old ones. Everyone will have to log back in, which is normal and intended.

closing the way in

What’s left is to shut down the mechanism that allowed the account to be created.

In Settings > General, check the Anyone can register option (users_can_register). If you don’t need public signups, uncheck it. Just below, the New User Default Role (default_role) should be Subscriber, never Administrator or Editor. A tampered default role is a wide-open path for an attacker.

Then clean the site: this is the step that removes the backdoor and the code hiding the accounts. Update the core, the theme, and every plugin, delete the ones you don’t use, and inspect functions.php along with recently modified files. The detailed walkthrough is in the full guide for when WordPress is hacked. Once the site is clean, secure WordPress so it doesn’t happen again.

frequently asked questions

The unknown account hasn’t published anything, can I just delete it? Deletion is necessary but not sufficient. Until you’ve changed the passwords, regenerated the salts, and cleaned the backdoor, the account can reappear. Do the steps in order.

I don’t see any suspicious admin in the dashboard, am I safe? Not necessarily. Hidden accounts don’t show up in the Users screen. Run the SQL query on wp_users above and compare: that’s the only way to confirm there’s no hidden admin.

Will regenerating the salts break my site? No. It simply logs out every user, who will have to log back in. Content, settings, and plugins are untouched.

you’d rather not touch it

If all this feels risky, or if you want certainty that nothing was missed, WP-Detox handles it. A free scan finds abnormal admin accounts, including those hidden in the database, and the backdoors that let them be recreated. If an infection is confirmed, the cleanup takes about 30 minutes: removing the rogue accounts with legitimate content reassigned, changing the access credentials, regenerating the keys, and a full cleanup of the site. A backup is taken before any action. Flat rate of €149, all in, refunded if the cleanup fails.