Invisible WordPress admin users are the sometimes left behind artifacts of a sloppy hacker or following the cleanup of a hacked website.
As of yet, there is no automated way to remove these invisible WordPress users. Some phpMyAdmin mojo is necessary to remove them. This article will cover how to remove those invisible user bits sometimes left behind in the database following a mySQL injection.
“phpMyAdmin may seem a bit intimidating at first. Think of it like a text editor for databases and you’ll be fine.”
The steps to removing invisible users in WordPress:
Be sure to use a backup plugin, like Updraft Plus or Backup Buddy, to make a database backup.
These backup plugins will not only help you generate a backup in seconds, they’ll likewise allow you to recover your prior database with just a few clicks of your mouse. So seriously, don’t freak out – “your website will not be wiped clean by editing a couple database tables.”
Add a new Administrator (user)
This still isn’t fully necessary, but I find it helpful in the scheme of things. Maybe you are still using Admin as your username? If that’s the case, this would be a great opportunity to change that to something less guessable.
After creating your new user, log out, then log back in as the new Administrator.
Log into phpMyAdmin. Scary, huh?
I have to agree, phpMyAdmin is probably the most intimidating login screen you’ll encounter in your WordPress career.
You’ll find the username and password for your phpMyAdmin by viewing the text within your wp-config.php file:
Once logged in, find your database in the left column and click it once.
That will reveal a list of tables. We only care about two tables: wp_usermeta and wp_users
Let’s start with wp_users. Click that table link and you’ll see something like this:
What’s important here are the numbers in the User ID column. Note how one is 2 and the other is 101011. These are good users in our installation. Hint: “Remember this.”
Ok, the truly scary part. Sorry, you’ll have to trust me on this. We are going to do a database query to identify the invisible users. Click the SQL tab.
Next, copy/paste the text below into the box and click the “Go” button bottom right.
select * from wp_usermeta where meta_value LIKE '%administrator%';
This will do a quick search for all currently set administrator users.
And now to the callback. After our search in #5 above, notice the extra users Mr/Mrs. Sherlock?
Now kill the other users. Clicky-clicky on the big red X next to each bad users until your enemy has been defeated.
If you are victorious in your quest, you’ll see something like this when you refresh your WordPress dashboard Users list:
For those of you who arrived here after searching for the term, “how to delete a WordPress website“
Deleting WordPress is usually pretty straightforward. Though if your site is active, deleting your WordPress site will likely take your entire website down and all of your files with it. Proceed with care…
If you are not sure how to delete your WordPress website just click the chat link below and ask. I’m here to help.
Glad to have just saved you hours of research and potential re-hacking of your website. Possibly
Buy Jim a Cup of Coffee?
Thanks man, it’s very helpful 🙂
David B says
Brilliant walkthrough, I found our functions.php had been hacked. Was worried I might have had some hidden users,
But guessing as I only found 1 admin then we’re good, happy days and time to move to a new host.. And just thankfull this is just a dev site.. Now to find out how the hell it got hacked, I’m not holding out that I will find out though.
You are great! This was the answer + tutorial I was looking for sooo long 🙂 Big thanx from a WordPress security nerd.
Luis Zarza says
Thanks man, great post.
Probably a silly question, but it has me stumped. What does “And now to the callback” mean?
Jim Walker says
Here you go: