WordPress Unknown Admin User Created by Hacker
WordPress Fix Guide

WordPress Hacker Changed Admin Email, URL & Password Fix

Expert fix — from $80
Response in 2 min
No fix, no charge

Immediate Fix Steps: Regain Control Now

Your WordPress site is compromised, and critical settings have been altered – let's get you back in control immediately. Follow these steps precisely to revert the unauthorized changes.

1

Establish Direct Database Access

Before you can fix anything, you need direct access to your WordPress database. This is usually done via phpMyAdmin in your hosting control panel (cPanel, Plesk, etc.) or by connecting via SSH and using a command-line client like MySQL CLI. Ensure you have your database credentials (database name, username, password) from your wp-config.php file.

// Locate your database credentials in wp-config.php
define( 'DB_NAME', 'your_database_name' );
define( 'DB_USER', 'your_database_user' );
define( 'DB_PASSWORD', 'your_database_password' );
define( 'DB_HOST', 'localhost' ); // Or your specific database host

Time Estimate: 5-10 minutes. Safety Note: Be extremely careful when editing the database directly. Always make a backup first if possible.

2

Force Reset Your Administrator Password

The hacker likely changed your admin password. You can force a reset directly in the database. Navigate to the wp_users table (your table prefix might be different, e.g., wp_123_users). Find your administrator user (usually ID=1 or the username you typically use). Edit the user_pass field. Instead of entering the password directly, you need to hash it. In phpMyAdmin, select the MD5 function from the dropdown next to the user_pass field and then type your new password into the value field. Alternatively, use MySQL's PASSWORD() function.

UPDATE `your_db_name`.`wp_users` SET `user_pass` = MD5('YourNewStrongPassword') WHERE `user_login` = 'your_admin_username';

-- Or using MySQL's PASSWORD() function (more secure for some setups)
UPDATE `your_db_name`.`wp_users` SET `user_pass` = PASSWORD('YourNewStrongPassword') WHERE `user_login` = 'your_admin_username';

Time Estimate: 2-5 minutes. Safety Note: Choose a strong, unique password immediately. Do not reuse old passwords.

3

Revert Changed Admin Email Address

A common tactic is for a wordpress hacker changed admin email to prevent you from receiving password reset links. You need to update both the individual user's email and the site's general admin email. In the wp_users table, find your administrator user and update the user_email field to your correct email address. Then, in the wp_options table, find the option name admin_email and set its option_value to your correct email. There might also be a pending _new_admin_email option, which you should delete or set to your correct email.

UPDATE `your_db_name`.`wp_users` SET `user_email` = 'your_correct_email@example.com' WHERE `user_login` = 'your_admin_username';
UPDATE `your_db_name`.`wp_options` SET `option_value` = 'your_correct_email@example.com' WHERE `option_name` = 'admin_email';
DELETE FROM `your_db_name`.`wp_options` WHERE `option_name` = '_new_admin_email'; -- If a pending change exists

Time Estimate: 3-7 minutes. Safety Note: This bypasses WordPress's email confirmation, so ensure the email is correct.

4

Correct Site URL Settings

If the wordpress hacker changed site url, your site might be redirecting to a malicious domain or simply not loading correctly. In the wp_options table, locate option_name entries for siteurl and home. Ensure their option_value fields are set to your correct WordPress installation URL (e.g., https://yourdomain.com). If your site is loading but redirecting, this is a critical fix.

UPDATE `your_db_name`.`wp_options` SET `option_value` = 'https://yourdomain.com' WHERE `option_name` = 'siteurl';
UPDATE `your_db_name`.`wp_options` SET `option_value` = 'https://yourdomain.com' WHERE `option_name` = 'home';

Time Estimate: 2-5 minutes. Safety Note: Incorrect URLs can break your site entirely. Double-check for trailing slashes or incorrect protocols (http vs. https).

5

Identify and Remove Unauthorized Admin Users

Often, a hacker will create new administrator accounts to maintain access. Check the wp_users table for any unfamiliar usernames. Then, cross-reference with the wp_usermeta table, looking for entries where meta_key is wp_capabilities (or your_prefix_capabilities) and meta_value contains administrator. If you find any unauthorized users, delete them from both wp_users and wp_usermeta. For a deeper dive into this specific issue, refer to our guide on WordPress Unknown Admin User Created by Hacker.

SELECT ID, user_login, user_email FROM `your_db_name`.`wp_users`; -- Identify all users

-- To delete an unauthorized user (replace 'hacker_user' and ID):
DELETE FROM `your_db_name`.`wp_users` WHERE `user_login` = 'hacker_user';
DELETE FROM `your_db_name`.`wp_usermeta` WHERE `user_id` = 'HACKER_USER_ID';

Time Estimate: 5-10 minutes. Safety Note: Be absolutely certain you are deleting the correct user. Deleting your own admin account will lock you out.

6

Scan for Persistent Backdoors and Malware

Changing settings is a symptom, not the root cause. The hacker gained access through a vulnerability and likely left behind a backdoor to regain access. This is why you're seeing wordpress unauthorized changes to site settings. You need to perform a thorough scan of your file system for malicious code, webshells, and backdoors. Common places to check include wp-content/themes/your-theme/functions.php, wp-content/plugins/, wp-includes/, and even wp-config.php. Look for unfamiliar files, obfuscated PHP code (e.g., eval(base64_decode(...))), or files with recent modification dates that you didn't touch. For more detailed instructions on finding and removing these, see our guides on WordPress Backdoor Found in Files and WordPress Hackers Keep Getting Back In.

// Example of a common backdoor location
/wp-content/mu-plugins/malicious-plugin.php
/wp-content/uploads/2023/01/shell.php
/wp-includes/pomo/streams.php // Often injected here

// Look for suspicious code patterns in PHP files:
grep -r "eval(base64_decode" /path/to/wordpress
grep -r "shell_exec" /path/to/wordpress

Time Estimate: 30-60+ minutes. Safety Note: This requires technical expertise. Incorrect removal can break your site or leave the backdoor active.

Why Your WordPress Settings Were Changed Without Your Knowledge

Understanding the root cause is crucial to preventing future attacks. When a wordpress hacker changed admin password, email, or URL, it's a clear indicator of a deeper compromise. Here are the most common vectors:

CAUSE 01

Compromised Administrator Credentials

The most direct way for a hacker to alter your settings is by gaining access to an administrator account. This often happens through brute-force attacks on weak passwords, phishing scams, keyloggers, or credential stuffing (where passwords leaked from other services are tried on your site). Once they have your login, they can make any wordpress settings changed without my knowledge.

Most common

CAUSE 02

Vulnerable Plugins or Themes

Outdated or poorly coded plugins and themes are a primary entry point. Exploiting a vulnerability (e.g., SQL injection, arbitrary file upload, cross-site scripting) allows an attacker to execute malicious code on your server. This code can then be used to modify database entries directly, create new admin users (see WordPress Unknown Admin User Created by Hacker), or upload webshells to gain persistent access.

High risk

CAUSE 03

Webshell or Backdoor Upload

Even if credentials are strong and software is updated, an initial breach (perhaps via a zero-day exploit or a different server vulnerability) can lead to a webshell or backdoor being uploaded. These malicious scripts provide a persistent interface for the attacker to execute commands, browse files, and modify your database at will, leading to changes in admin email, URLs, and passwords. Refer to WordPress Backdoor Found in Files for more.

Persistent threat

CAUSE 04

Server-Level Compromise

Less common for WordPress-specific issues, but possible: if your hosting server itself is compromised, an attacker can gain root access or access to your hosting account. From there, they have full control over your files and database, allowing them to make any changes, including WordPress admin settings, without needing to exploit a WordPress vulnerability directly.

Broader impact

How To Prevent Recurrence of Unauthorized WordPress Settings Changes

Fixing the immediate problem is only half the battle. To ensure a wordpress hacker changed site url or other settings doesn't happen again, you need to implement robust security measures.

  • Implement Strong, Unique Passwords and 2FA: Use complex, long passwords for all WordPress users, database users, and hosting accounts. Enable Two-Factor Authentication (2FA) wherever possible, especially for admin accounts.
  • Keep Everything Updated: Regularly update your WordPress core, themes, and plugins. Developers release updates to patch security vulnerabilities. Running outdated software is like leaving your front door unlocked.
  • Harden wp-config.php and File Permissions: Restrict file permissions (e.g., 644 for files, 755 for directories). Add security keys and salts to wp-config.php. Consider disabling file editing from the WordPress admin dashboard.
  • Use a Web Application Firewall (WAF): A WAF (like Cloudflare or Sucuri Firewall) can block malicious requests before they even reach your WordPress installation, preventing many common attack vectors.
  • Regular Security Scans and Monitoring: Implement a reputable security plugin to regularly scan for malware, monitor file changes, and detect suspicious activity.
  • Off-Site Backups: Maintain regular, automated, off-site backups of your entire site (files and database). This ensures you have a clean restore point if an attack ever bypasses your defenses.

Our Process: How WebFixHQ Remediates Compromised WordPress Settings

When you're dealing with a wordpress hacker changed admin email, you need more than just a quick fix – you need a complete cleanup and hardening. Our experienced engineers follow a meticulous process:

  1. Emergency Access & Initial Lockdown: We immediately establish secure access to your hosting environment and database, then implement temporary measures to prevent further damage while we work.
  2. Comprehensive Malware & Backdoor Scan: We utilize proprietary scanning tools and manual inspection to locate every piece of malicious code, webshell, and backdoor. This includes obscure locations like wp-content/uploads/, theme/plugin directories, and core files.
  3. Database Integrity Audit: We meticulously examine your wp_options, wp_users, wp_posts, and other critical tables for any unauthorized entries, injected spam, or altered settings, including the admin_email, siteurl, and home options.
  4. Core File Verification & Restoration: We compare your WordPress core files against official checksums to identify any modified or injected files. We then restore clean versions without affecting your content.
  5. Vulnerability Identification & Patching: We pinpoint the exact vulnerability that allowed the breach (outdated plugin, theme, weak credentials, etc.) and apply the necessary patches or recommend secure alternatives.
  6. User Account Audit & Cleanup: We review all user accounts, remove any unauthorized administrators, and ensure legitimate accounts have strong, unique passwords.
  7. Post-Cleanup Hardening & Monitoring Setup: We implement advanced security measures, including file permission adjustments, wp-config.php hardening, and recommendations for ongoing monitoring to prevent future attacks. This ensures the hackers don't keep getting back in.

Hacker Changed Your WordPress Settings? Get Expert Help.

Our senior engineers will meticulously clean your site, restore settings, and secure it against future attacks.

Fix My Hacked WordPress Site →

Frequently Asked Questions About Hacked WordPress Settings

FAQ

Common questions

What if the hacker changed my admin email and I can't receive password reset links?
If a hacker changed your WordPress admin email, you won't receive password reset emails. The immediate fix is to directly update your email address in the WordPress database via phpMyAdmin, bypassing the email confirmation process. Our guide provides specific SQL commands to achieve this.
How long does it typically take to fix a site where a hacker changed admin settings?
The immediate steps to regain access and revert settings can take as little as 30-60 minutes if you have database access. However, a full cleanup, including finding and removing all backdoors and hardening the site, typically takes 2-4 hours for our engineers, depending on the complexity of the hack.
Can I fix these unauthorized WordPress setting changes myself, or do I need professional help?
You can perform the initial steps to regain access and revert settings yourself if you are comfortable with direct database manipulation. However, identifying and fully removing all backdoors and hardening your site against recurrence requires deep technical expertise. Many users find professional help essential for a complete and lasting fix.
How much does WebFixHQ charge to fix a WordPress site with altered admin settings?
WebFixHQ offers transparent, fixed-price services for hacked WordPress sites. Our comprehensive security and malware removal service, which covers issues like altered admin settings, is priced at $80. This includes full cleanup, backdoor removal, and security hardening.
The hacker also deleted content and created new pages. Is that part of this fix?
While this guide focuses on altered admin settings, a comprehensive hack often includes content manipulation. Our full security cleanup service addresses all aspects of a compromise, including restoring deleted content and removing unauthorized pages, as detailed in our guide on WordPress Hacker Modified Files, Deleted Pages, Products and Customer Data.