I have 2 WordPress MultiSite installs (on different accounts, but under the same HostGator reseller a/c) and both seem to have been compromised. I say “compromised” because the user_logins have been modified (somehow) and “hidden users” are being shown via WP Admin.
I attempted to login to the installs which are both up-to-date (3.1) MultiSites. I use 1PassWord (with 50 character alpha + numerical + symbolic passwords) so weak passwords are not the hole. My logins (which I use every day) were rejected so I knew there was trouble.
I can access phpMyAdmin and sure enough the user_logins and user_email had been modified. And if I change them via phpMyAdmin, 5mins later they were re-edited (now it seems I can’t even do this). * Interestingly, I don’t think you can change a username in WP Admin (it is ghosted and uneditable). Does this mean they are hacking in external to WP Admin in order to change this?
Also, in the User Dashboard, 3 users are displayed, but the count (up the top) indicates there are 5 users in total. Super Admin is a simular story – it shows the tally as “3 Super Admins” but only 1 is displayed. (I have checked the source code and used Web Dev tools to try and find hidden content in these admin pages, but no joy).
I had hoped to add new Super Admin and delete old super admin (after porting posts to new user admin user). But I am unable to delete the original Super Admin user (ID=1) even after creating new Super Admin and removing Super Admin privileges from ID=1. When I click “delete” (on hover of User ID=1) nothing happens; the page simply refreshes.
HostGator have been suprisingly helpless, arguably hopeless, and VERY slow to deal with this matter. Which is ongoing. Can anyone give me some advice or help in any way.
I would first of all change the password for phpMyAdmin because I think they moust be getting though the DB next thing is if that doesn’t work , but the bullet and do a clean install but backup all the post and maybe the comments if you want ot.
Are you using any pirated plugins or themes? I’ve seen this happen on a couple of client sites because they installed a plugin they didn’t want to buy a licence for, a lot of warez releasers will put hidden code into plugins and themes that executes when it’s installed and each subsequent load.
Although, there are a couple of host based exploits affecting Mediatemple and Hostgator around that I know of that can cause this kind of thing. It’s unusual for a rogue user to be created, it’s usually your site is hijacked and redirected to a rogue pharmacy website or something.
If I were you, I change your site theme to the default and see if the accounts stop being recreated and changes made. Then if that isn’t the issue, disable your plugins one by one until you see it stop. If that doesn’t work, core files have been compromised and you’ll have to do a reinstall.
WordPress exploit code likes to hide usually in the wp-includes folder and then a few levels down in the TinyMCE themes directories. Hope this helped.
PS. Install the aforementioned plugin ‘Bulletproof Security’ and a plugin called ‘Vaccine’ which will both be a huge help.