I have 2 WordPress MultiSite installs (on different accounts, but under the same HostGator reseller a/c) and both seem to have been compromised. I say “compromised” because the user_logins have been modified (somehow) and “hidden users” are being shown via WP Admin.
I attempted to login to the installs which are both up-to-date (3.1) MultiSites. I use 1PassWord (with 50 character alpha + numerical + symbolic passwords) so weak passwords are not the hole. My logins (which I use every day) were rejected so I knew there was trouble.
I can access phpMyAdmin and sure enough the user_logins and user_email had been modified. And if I change them via phpMyAdmin, 5mins later they were re-edited (now it seems I can’t even do this). * Interestingly, I don’t think you can change a username in WP Admin (it is ghosted and uneditable). Does this mean they are hacking in external to WP Admin in order to change this?
Also, in the User Dashboard, 3 users are displayed, but the count (up the top) indicates there are 5 users in total. Super Admin is a simular story – it shows the tally as “3 Super Admins” but only 1 is displayed. (I have checked the source code and used Web Dev tools to try and find hidden content in these admin pages, but no joy).
I had hoped to add new Super Admin and delete old super admin (after porting posts to new user admin user). But I am unable to delete the original Super Admin user (ID=1) even after creating new Super Admin and removing Super Admin privileges from ID=1. When I click “delete” (on hover of User ID=1) nothing happens; the page simply refreshes.
HostGator have been suprisingly helpless, arguably hopeless, and VERY slow to deal with this matter. Which is ongoing. Can anyone give me some advice or help in any way.
2 Answers
I would first of all change the password for phpMyAdmin because I think they moust be getting though the DB next thing is if that doesn’t work , but the bullet and do a clean install but backup all the post and maybe the comments if you want ot.
