wp admin user name has been changed by someone - wordpress

As a Administrator of my website (Wordpress with Woocommerce), I am unable to logged in on my website's wp-admin panel. Then I tried to log in from another user name and it got successfully logged me in, then I saw the name of my admin user has been changed. I am amazed how it was happened? who did it? and why ?
Please suggest me what should i do ?
How to avoid such incident again ?
Incase the culprit who did it, In the next attempt, if he/she changes name of my second user of wordpress, what i should do ?
I am afraid if the culprit change the names of my all wp users then what should i do?

It seems a hacking attack.
So I suggest you first , upgrade your plugins and themes.
Then don't forget to scan your whole site with wordfence.
Then secure it with wordfence , I suggest to use it's pro version, I really feel it useful.
Then tell your hosting to scan and make sure no security issue there.
Note : Don't forget to remove your ftp and extra admin or change their password at least.
Your task is done ..
Still confusion, consult with an expert like me.

Block or delete the mentioned admin account
Install a security plugin like Wordfence
Scan your whole site (with the plugin), it's very likely a backdoor has been installed for future attacs
Change all passwords of admin-accounts and advice your users to do the same
Change the passwords of your FTP, database and possible webserver-interface (if the username was changed, it's likely done directly inside the database)

Related

Wordpress user is able to login but can't find it in the database

So, I have an admin user on Wordpress, I can login, I can post, update, install plugins, etc.
But when I try to find my user name, or email on the database wordpress is using (in wp-config file), I'm not able to locate it. and mine is not the only user I'm not able to find in the database.
Now,I got to this discovery, because our wordpress site was hacked not long ago, I'm going through the files, and I see some random code on the top of index.php or other files.
I clean and get rid of this code, and files too ! ( aindex.php, ajax-index.php. etc.)
At some point in the middle of the night, some files is creating this files, and inserting this random code again. SO I need to do this everyday in the morning, otherwise the wordpress admin doesn't work. Any insight on this too, will be very appreciate it.
Anyway, it is possible that whoever hacked the site, is making wordpress to store new users on an external database ?
Thanks, any help will be appreciate it.
Note I'm using: Wordfence, WP security, Cerber Security, Defender, iThemes Security to help scan the files.
In relation to your first point, users are not stored in wp-config.php. They are stored in the database - you can access the database via your domain.com/phpmyadmin (depending on the database manager you're using).
Within the database tables you will find wp_users and wp_usermeta where the information you are looking for will be stored.
You can have a look at this page for some more information.

Wordpress login with true username & password failed

I am managing a wordpress site. Recently, I have trouble with the login system. Even though I give the right username and password, it give me the login page again and again, instead of redirect me to the dashboard.
The solution that I usually do is dropping all the tables in the database and import them again. It temporary fixes the problem. But the problem still have possibility to exist.
Anybody know what the problem exactly is?
WordPress login issue, when you have 100% correct username and password, and it does not give you username/password incorrect error, but it just takes you back to login form... it is mostly due to some security measure by some plugin or theme. Most probably a plugin, could by JetPack's security feature, or any other security plugin like Bulletproof Security Plugin & AIO Security (as was the case in OP's situation.)
To make sure if that is the plugin, or which plugin, I suggest a quick work around, ftp/ssh to your server and rename plugins folder as plugins-old, and create new blank folder plugins for now.. and try to login now... this time if you can login perfectly, then it is some plugin, most probably security related plugin, now you can go back to ftp and restore the plugins folder, and then you will have to activate/disable one by one to see which plugin might be the issue.
I have faced this issue many times in the past and above approach has always helped me get it fixed.

Stop Hacks to Wordpress Site - New User Added

My apologies in advance if I am posting it in the wrong forum.
I have a WordPress site. Every couple of days, a new user is added as an "Administrator" as shown below
I have changed my password many times using complex passwords but to no use. I even searched on Google and have read links like this one.
I have also unchecked the option "Anyone can register"
However, I am unable to stop them from registering.
Fortunately, no malicious activity has been noticed (Ex: Deletions/Unwanted posts etc)
Please advise me on what I can do to stop these?
You clearly have a more serious compromise, like an uploaded malicious script or an unpatched vulnerability. You need to rebuild your site from scratch (clean install of the current versions of WP and any plugins and themes, using a known-good database export) ASAP before something really bad happens.
Unfortunately, it's impossible to say what happened without digging through your server. My guess is that somebody exploited a vulnerability and uploaded a script. It could be anything - an hole in the WP core, a plugin, or a theme; a malicious plugin or theme; a stolen password; a breach of another site on the same server; or a number of other things.
Regardless of what happened, the only safe fix is to rebuild the site. If you have data backups, you can achieve this in a few hours.
I strongly recommend installing the security plugin WordFence to help prevent similar problems in the future. (I have no affiliation with WordFence, but use it on a number of sites.)
Finally, you might want to read this discussion on security.stackexchange.com. The consensus in this situation is "nuke it from orbit." Good luck!
Someone is making a SQL injection in your site.
If you want to prevent this in future, you should do some things.
Rebuild your website from scratch.
Install some of the security plugins, like Bulletproof Security, Wordfence, iThemes Security. I suggest you to buy the license of Bulletproof, or use the free version + one of the others. And be careful for the equal settings.
The most common attack are with SQL Injection XSS, Plugin exploits and of course brute-forcing the admin pass. You should upgrade every plugin and Wordpress every time when you see a new version.
Use less plugins. They are one of the main reason for hacked websites. If you use Linux, Ican tell you how to scan your website for vulnerabilities. Or just tell me the url, and I will tell you the results.
Also change your /wp-admin path, there are a lot of bots who search the web and make bruteforce attacks.
Also is important to use different admin username from admin or Admin. And use strong passwords. It's a good practice when you make a new Wordpress installation, to do two more users. The first will be an Author and will post everything in the site, the second you should make with Administration role. After that delete the first admin user and start the new one.
Hackers knows that almost every time the user with id:1 is the admin, so they can try to access again. So in this case your admin will be with id:3, and again don't use username like admin and etc.
Best regards and wish you luck.
Kasmetski
Check index.php, wp-admin/index.php to see if they have been modified. Usually the following line of code is added to the top of the index.php file. A code starting with 'required' is usually added.
The file being ‘required’/’included’ here contains malicious code which is executed along with each run of WordPress. Such code can generate fake pharma pages, Japanese SEO spam pages and other malware infections.
Delete the #require code from the file after comparing it with the contents of the core WP files from it’s GitHub repository.
Check if there are any new files in the root of the server or /wp-admin folder that were not created by you. Some of the files that you may find are:
Marvins.php
db_.php
8c18ee
83965
admin.php
buddy.zip
dm.php
If you find any of the above suspicious files, take a backup and delete them.
Source: https://www.getastra.com/blog/911/fix-wordpress-admin-dashboard-wp-admin-hack/

DNN Wrong Password Reset link

I have problems when I force reset passwords for my website users.
When I use this option, the next time the user logs in it will be prompted to change the password. My website link is something like this: Server/MyPortal.
When users login instead of taking them to:
Server/MyPortal/default.aspx?ctl=PasswordReset&resetToken...
They are redirected to:
Server/default.aspx?ctl=PasswordReset&resetToken...
Which obviously takes them to a 404 not found page because it is missing MyPortal.
Can anyone please shed some light on me and help me to fix this? Thank you very much!
Ivan
What version of DNN are you on?
I would look at
Are you on the latest version
Are your Portal Aliases configured properly. To tell this, login as a Super User, go to the Admin/Site Settings page for the portal in question, find the Portal Aliases section, I believe that is under the Advanced tab. See if you have a misconfigured alias in there.
Another thing you might check, would be to check the Language files (admin/languages) to see if the password reset email could be modified there to include the proper portal URL. When editing language files in DNN you can edit System, Host, or Site.
You likely want to edit the SITE level if you have other websites running as well. Site level edits will only apply to that individual portal.

Is there way to check wordpress logs? Like what actions admin has performed etc?

hi friends Is there way to check wordpress logs? Like what actions admin has performed etc?
Actually I am working on a project and someone has deleted my pages templates to trash and my site was down. I want to check who did this in my wordpress admin panel?
I don't think Wordpress has an event log, at least I've never heard of one or seen one. There is a login logger plugin, but it has to be installed and doesn't work retroactively.
In theory, it should be possible to get at least the IP address of the perpetrator from the normal Apache access logs, and searching it for all recent accesses to the /wp-admin folder. That is pretty cumbersome work, though.
You can use a plugin for this: try Stream or its competitors.
You may try this Activity Log Plugin.
If you have tens of users or more, you really can’t know who did what.
This plugin tries to solve this issue by tracking what users do, and
displaying it in an easy to use and easy to filter view on the
dashboard of your WordPress site.
You can try User Activity Log - WordPress Plugin.
It helps you monitor and keep track of all the activities occurs on the admin side. It will give information about log of all user activity and admin get notified when a particular user is logged in.
The following is not about action logs, but error logs, but it is also helpful. If that happened and you have WooCommerce installed, you will have access to logs:
Admin panel->WooCommerce->Status-> a tab: [Logs]

Resources