If you’ve ever logged in to your WordPress dashboard and noticed unknown admin accounts, you may be a victim of a WordPress Admin Hack. Even more alarming is when these admin accounts reappear after being deleted—or worse, continue to show up despite deleting the wp-admin
folder itself.
This isn’t just a glitch. It’s a sign that your website has been compromised.
In this article, we’ll explore how unauthorized admin users are created in WordPress, the risks they pose, and how you can fix and prevent this serious security threat.
⚠️ What Is Unauthorized Admin Creation in WordPress?

Unauthorized Admin Creation in WordPress means someone is able to generate administrator accounts without your permission. These accounts give full access to your site and can:
- Steal or alter data
- Install malware or spam scripts
- Redirect visitors to malicious sites
- Take full control of your WordPress backend
Even if you delete the account or the wp-admin
folder, these accounts can keep returning—because the problem lies deeper than what meets the eye.
🧠 Why Deleting wp-admin Doesn’t Help
The wp-admin
folder only contains the admin dashboard interface. The real WordPress functionality—including user creation and login logic—resides in:
wp-includes/
wp-content/
index.php
wp-config.php
So, deleting wp-admin
doesn’t stop PHP code or backend access. Hackers can inject scripts elsewhere in your WordPress core files or database that recreate admin users automatically.
🕵️♂️ How Hackers Create Admin Users Without Your Permission
Let’s look at the most common methods hackers use to create unauthorized admin accounts:
🔁 1. Backdoor PHP Scripts
Hackers upload malicious files (often hidden inside /wp-content/uploads/
or a theme folder) containing code like:
phpCopyEditwp_create_user('hackeradmin', '123456');
Or they modify existing files (like functions.php
) to run this code automatically.
🔌 2. Compromised Plugins or Themes
Using nulled (pirated) or outdated plugins/themes often comes with preloaded backdoors. These files silently create admin accounts on install or when triggered via a hidden link.
🧪 3. Database Injection
Hackers can directly insert a user into the WordPress database using SQL. For example, they add a row in the wp_users
table with the role set as administrator
.
📅 4. WordPress Cron Jobs
Some malware sets up fake cron jobs (scheduled tasks) that recreate admin accounts every few hours—even if you delete them.
🌐 5. Hosting or Server Vulnerabilities
If your hosting account or cPanel is compromised, attackers can upload PHP shells or scripts that modify your WordPress files or database directly.
🔍 How to Detect WordPress Admin Hacks
Here are warning signs to look out for:
- Unknown admin accounts appear repeatedly
- Files like
functions.php
,wp-config.php
, or.htaccess
contain strange code - Suspicious files in
/uploads/
liketmp.php
,shell.php
, etc. - Google flags your website as “deceptive”
- Login page redirects or behaves strangely
Use plugins like Wordfence, Sucuri, or MalCare to scan for malware.
🛠️ How to Remove Unauthorized Admin Users and Fix the Hack
Here’s a step-by-step guide to clean your site:
✅ Step 1: Backup Everything
Before doing anything, create a full backup (files + database) using a plugin or your hosting panel.
✅ Step 2: Delete Unknown Admins
Go to:
- phpMyAdmin → wp_users
- Delete users you don’t recognize
- Also check wp_usermeta and remove entries with suspicious
wp_capabilities
✅ Step 3: Scan with Security Plugins
Install one of these:
Run a full scan to detect:
- Infected files
- Suspicious code
- Malware injections
✅ Step 4: Manually Check Critical Files
Open and inspect these files:
wp-config.php
.htaccess
/wp-content/themes/your-theme/functions.php
Look for unfamiliar PHP code or base64-encoded strings like:
phpCopyEditeval(base64_decode("aWYoJGVycm9yX2dldF9sYXN0KCkpIHsg..."));
✅ Step 5: Replace Core WordPress Files
- Download a fresh copy of WordPress
- Delete all files except:
wp-content/
wp-config.php
- Upload and overwrite the remaining core files
✅ Step 6: Change All Passwords
Change your:
- WordPress admin password
- cPanel or FTP passwords
- MySQL database password (and update in
wp-config.php
)
✅ Step 7: Enable Protection
- Enable Two-Factor Authentication (2FA)
- Hide the login URL with a plugin like WPS Hide Login
- Disable file editing from the dashboard: phpCopyEdit
define('DISALLOW_FILE_EDIT', true);
🧱 How to Prevent Future WordPress Admin Hacks
- Never use pirated themes/plugins
- Keep WordPress core, plugins, and themes updated
- Install a trusted security plugin
- Use SSL (https)
- Change login URL from
/wp-login.php
to something unique - Limit login attempts with brute force protection
- Use reliable hosting with malware scanning
🧾 Final Thoughts
A WordPress Admin Hack can silently destroy your website’s security, SEO, and reputation. If admin users are being created without your consent, the problem is deeper than just wp-admin
. It involves backdoors, malicious code, and database manipulation.
To stop unauthorized admin creation in WordPress, you need to:
- Scan thoroughly
- Clean infected files
- Reinforce your defenses
The key is regular maintenance, timely updates, and good hosting.
Comments