Invisible WordPress admin users are the sometimes left behind artifacts of a sloppy hacker or following the cleanup of a hacked website.
As of yet, there is no automated way to remove these invisible WordPress users. Some phpMyAdmin mojo is necessary to remove them. This article will cover how to remove those invisible user bits sometimes left behind in the database following a mySQL injection.
“phpMyAdmin may seem a bit intimidating at first. Think of it like a text editor for databases and you’ll be fine.”
The steps to removing invisible users in WordPress:
Be sure to use a backup plugin, like Updraft Plus or Backup Buddy, to make a database backup.
These backup plugins will not only help you generate a backup in seconds, they’ll likewise allow you to recover your prior database with just a few clicks of your mouse. So seriously, don’t freak out – “your website will not be wiped clean by editing a couple database tables.”
Add a new Administrator (user)
This still isn’t fully necessary, but I find it helpful in the scheme of things. Maybe you are still using Admin as your username? If that’s the case, this would be a great opportunity to change that to something less guessable.
After creating your new user, log out, then log back in as the new Administrator.
Log into phpMyAdmin. Scary, huh?
I have to agree, phpMyAdmin is probably the most intimidating login screen you’ll encounter in your WordPress career.
You’ll find the username and password for your phpMyAdmin by viewing the text within your wp-config.php file:
Once logged in, find your database in the left column and click it once.
That will reveal a list of tables. We only care about two tables: wp_usermeta and wp_users
Let’s start with wp_users. Click that table link and you’ll see something like this:
What’s important here are the numbers in the User ID column. Note how one is 2 and the other is 101011. These are good users in our installation. Hint: “Remember this.”
Ok, the truly scary part. Sorry, you’ll have to trust me on this. We are going to do a database query to identify the invisible users. Click the SQL tab.
Next, copy/paste the text below into the box and click the “Go” button bottom right.
select * from wp_usermeta where meta_value LIKE '%administrator%';
This will do a quick search for all currently set administrator users.
And now to the callback. After our search in #5 above, notice the extra users Mr/Mrs. Sherlock?
Now kill the other users. Clicky-clicky on the big red X next to each bad users until your enemy has been defeated.
If you are victorious in your quest, you’ll see something like this when you refresh your WordPress dashboard Users list: