How To Delete Hidden User In Hacked WordPress Site?

How to Delete Invisible WordPress Admin Users

If your WordPress website has been hacked. You must have followed WordPress Hacked instructions to delete the scripts and remove malware from WordPress site. It happens to everyone at some point. You will find a couple of php files uploaded in sneaky places, like in the uploads/folder.

Following the cleanup of a hacked website, You may have noticed more administrators than actual number of those listed in WordPress, these are “hidden or invisible” admin users, the username can be a malicious script. Actually, these invisible WordPress admin users are left-overs and must be removed from WordPress.

On the other hand, you should know that there are different types of WordPress user roles that you can define as a super administrator, administrator, editor, author, contributor, or subscriber. Each role defines the user’s responsibilities within the site. It is very important for you to Track User Activity in WordPress

Here, we are briefly explaining what each one is.

  • Super Admin: is someone with access to blog network management options and who controls the entire network (this user only applies when multiple sites are managed from a single WordPress installation).
  • Administrator: you have access to all the administration options of the web.
  • Editor: you can publish and manage entries and pages, as well as manage the entries and pages of other users.
  • Author: you can publish and manage your own entries only.
  • Contributor: you can write and manage your own entries, but not publish them.
  • Subscriber: You can only manage your own profile.

So far, there is no automatic way to delete these invisible WordPress users. php MyAdmin is needed to remove them. This article will cover How To Remove Hidden Admin Users In WordPress that sometimes remain in the database after a MySQL injection .

Also ReadFix “Are You Sure You Want to Do This” Error in WordPress

removing invisible users in WordPress

Follow below mentioned methods with steps to removing invisible users in WordPress admin:

Steps To Remove/Delete hidden WordPress Admin Users

Delete Invisible WordPress Admin Users

Step 1 – Make a database backup by using Backup plugin

You have invested a lot of time to develop your site and its content. Maybe you even managed to create a nice community around your theme. You may have even created a product that sells well and that has allowed you to quit your job.

Admit it would be embarrassing to lose all this work overnight.

There are many free extensions to backup a WordPress site. To date, the two most popular free solutions are BackWPup and UpdraftPlus. The following tutorial will be based on the latter because it also supports the restoration in case of disaster. Read this detailed post on How to Backup WordPress Database Manually & With Plugins? & Export WordPress Database Via PhpMyadmin.

Updraft Plus

Once the UpdraftPlus extension is installed and activated, open the Settings category of the main WordPress menu and click on UpdraftPlus Backups.

 Updraft Plus backup wordpress plugin

In the UpdraftPlus Settings tab:

Choose an identical backup interval for your site’s files and database. If you update your site once a week, a weekly backup is sufficient.

  • keep 3 backup sets for both types of backup.

In the backup include extensions, themes, sent files and all other directories contained in the wp-content folder.

Enable “sending a report” to receive a report after each backup. This is important to check that everything is running smoothly. In case of disaster, nothing worse than ending up empty-handed while we slept on both ears.

copy the backup to online storage like Dropbox or other Cloud Storage. If your FTP account is hacked, your backups will not be compromised 🙂

At the very bottom of the page, click the blue Save button.

Back WP up

 Back WP up

BackWPup is a plugin that will allow you to transfer your backups to different external services (Dropbox, etc.).

Its 8 million downloads and 600 active installations make it one of the most popular backup plugins.

If you are a beginner, you may be a little disconcerted by the multitude of features available. We think the plugin will be more suited to seasoned and technical profiles that will appreciate some advanced options.

In addition, we would have especially appreciated having less blah-blah to be redirected directly to what interests us, the configuration of the automatic backup.

However, BackWPup remains an excellent plugin for backing up your site under WordPress. You can even go further with the pro version that offers other export destinations, finer options and support.

Also ReadWordPress Malware Removal Checklist 2024

Step 2: Add a new Administrator (user)

This still isn’t fully necessary, but we find it helpful in the scheme of things. Maybe you are still using “Admin” as your username? If that’s the case, this would be a great opportunity to change that to something less guessable.

During a WordPress installation, an “admin” user is automatically created by default. The connection to your blog is done via two fields: the username and password, leaving “admin” as an identifier in the list of users, you leave the door open to hackers, who only have to find the associated password, which very often, is quite easy to find.

Other usernames such as:

Your first name

The name of your dog (or cat)

The brand of your car

The name of your favorite artist

etc.

are also to be avoided because it is too easy to find. A WordPress username should not be simple to find, especially not looking at the names of the article authors. For your safety, try to generate a complex name, and put it in a safe place, so you can find it easily.

Also ReadHow To Change Your WordPress Username

Step – 3: Locate the unwanted users via WordPress Admin panel

Once access your user admin panel do you see unknown Admin users than are showing?

HINT: Check the number in brackets () versus the number of admin users listed.

http://blog.kevindixie.com/wp-content/uploads/2011/11/admin.jpg

  • You need to remove invisible or hidden users. The only way is to go to your PHP MyAdmin and remove them, here is a quick step by step guide:-
  • Firstly, while on the admin panel on WordPress, go to user page and right-click on ‘view source’ – find the following:-
<tbody id="the-list" class='list:user'>

Under this, you will find the users, note down the numbers of the users you know are correct, the number of the user must be in the following order:-

tr id='user-2'
  • Then Go in PHP MyAdmin.

 phpMyAdmin-login

Next from the SQL tab, query this:

select * from wp_usermeta where meta_value LIKE ‘%administrator%’;

and delete the row(s) that don’t match the ID# you wrote down as per step 1

Once done run a SQL query

select * from wp_usermeta where meta_key=’wp_user_level’ AND meta_value=’10’

and delete the row(s) that don’t match your ID# you wrote down on previously.

This is it, refresh the Users page and the invisible Admin should have disappeared.

  • Login to phpMyAdmin

The easiest way to reset your WordPress password is through phpMyAdmin. It is a tool written in PHP to handle the administration of MySQL through web pages, using the Internet. This tool is in the hosting command panel.

Once you access phpMyAdmin, you will find the username and password for your phpMyAdmin by viewing the text within your wp-config.php file.

 wp-config.php-user-pass - Remove hidden WordPress Administrators

Log in and look for the database in the left column and click it once.

After the click, it will reveal a list of tables.

We only care about two following tables:

  • wp_usermeta,
  • and wp_users

Click on wp_users table link and you’ll see something like this:

 remove invisible WordPress users

These given numbers in the User ID column are very important. Note how one is 2 and the other is 101011. These are good users of in your WordPress. Hint: “Remember this before performing any method.”

Then perform a database query to identify the invisible users. Click the SQL tab.

From here, copy/paste the text below into the box and click the “Go” button.

select *from wp_usermeta where meta_value LIKE '%administrator%';

This will do a quick search for all currently set administrator users.

https://hackrepair.com/wp-content/uploads/2016/05/invisible-users.png

And now to the callback. After searching, you will notice the extra users by some unknown username.

https://hackrepair.com/wp-content/uploads/2016/05/invisible-users.png

Now delete the unknown users by clicking the big red X next to each bad user to remove it completely from the root.

If you follow everything exactly as described above, you’ll see something like this when you refresh your WordPress dashboard Users list:

That’s it.

How to Remove users from your WordPress with MySQL?

To end annoying spam users is by directly accessing the database of the WordPress, for this we will have to enter the SQL console and execute the following queries or codes that will help us eliminate bot users, inactive users, and all that does nothing but hinder our site.

DELETE FROM wp_users WHERE ID> 1 AND ID NOT IN (SELECT DISTINCT post_author FROM wp_posts) AND ID NOT IN (SELECT DISTINCT user_id FROM wp_comments);
DELETE FROM wp_usermeta WHERE user_id> 1 AND user_id NOT IN (SELECT DISTINCT post_author FROM wp_posts) AND user_id NOT IN (SELECT DISTINCT user_id FROM wp_comments);
DELETE FROM wp_links WHERE link_owner> 1 AND link_owner NOT IN (SELECT DISTINCT post_author FROM wp_posts) AND link_owner NOT IN (SELECT DISTINCT user_id FROM wp_comments);

With this code you can eliminate thousands of hidden spam users very easily by simply entering them into the WordPress SQL console, it is an extremely fast, simple and effective method, in this way you will not have to delete them one by one or from the control panel.

Although if your WordPress site does not have many registered users, it will not be a problem to delete them manually, so this code is ideal for large sites with thousands of users.

So if you want to get rid of annoying users who only leave spam, first try to avoid them so you don’t have to fight them, try to use all the tools and scanners (try our wordpress security scanner below) you can so that bots are quickly detected and fail to meet their malicious objectives, and If the precautionary measures are not enough to prevent them from entering your WordPress, it will be time to eliminate them.

wordpress-security-scan-for-malwareRemember that there are different WordPress security plugins that will help you identify the illegal users, those that are bots, remove them from your site and block them permanently so you don’t have to deal with them again.


WordPress Errors Troubleshooting Tutorials:
24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)