If you’ve ever logged in to your WordPress dashboard and noticed unknown admin accounts, you may be a victim of a WordPress Admin Hack. Even more alarming is when these admin accounts reappear after being deleted—or worse, continue to show up despite deleting the wp-admin folder itself.

This isn’t just a glitch. It’s a sign that your website has been compromised.

In this article, we’ll explore how unauthorized admin users are created in WordPress, the risks they pose, and how you can fix and prevent this serious security threat.

⚠️ What Is Unauthorized Admin Creation in WordPress?

Unauthorized Admin Creation in WordPress means someone is able to generate administrator accounts without your permission. These accounts give full access to your site and can:

  • Steal or alter data
  • Install malware or spam scripts
  • Redirect visitors to malicious sites
  • Take full control of your WordPress backend

Even if you delete the account or the wp-admin folder, these accounts can keep returning—because the problem lies deeper than what meets the eye.

🧠 Why Deleting wp-admin Doesn’t Help

The wp-admin folder only contains the admin dashboard interface. The real WordPress functionality—including user creation and login logic—resides in:

  • wp-includes/
  • wp-content/
  • index.php
  • wp-config.php

So, deleting wp-admin doesn’t stop PHP code or backend access. Hackers can inject scripts elsewhere in your WordPress core files or database that recreate admin users automatically.

🕵️‍♂️ How Hackers Create Admin Users Without Your Permission

Let’s look at the most common methods hackers use to create unauthorized admin accounts:

🔁 1. Backdoor PHP Scripts

Hackers upload malicious files (often hidden inside /wp-content/uploads/ or a theme folder) containing code like:

Banner 
phpCopyEditwp_create_user('hackeradmin', '123456');

Or they modify existing files (like functions.php) to run this code automatically.

🔌 2. Compromised Plugins or Themes

Using nulled (pirated) or outdated plugins/themes often comes with preloaded backdoors. These files silently create admin accounts on install or when triggered via a hidden link.

🧪 3. Database Injection

Hackers can directly insert a user into the WordPress database using SQL. For example, they add a row in the wp_users table with the role set as administrator.

📅 4. WordPress Cron Jobs

Some malware sets up fake cron jobs (scheduled tasks) that recreate admin accounts every few hours—even if you delete them.

🌐 5. Hosting or Server Vulnerabilities

If your hosting account or cPanel is compromised, attackers can upload PHP shells or scripts that modify your WordPress files or database directly.

🔍 How to Detect WordPress Admin Hacks

Here are warning signs to look out for:

  • Unknown admin accounts appear repeatedly
  • Files like functions.php, wp-config.php, or .htaccess contain strange code
  • Suspicious files in /uploads/ like tmp.php, shell.php, etc.
  • Google flags your website as “deceptive”
  • Login page redirects or behaves strangely

Use plugins like Wordfence, Sucuri, or MalCare to scan for malware.

🛠️ How to Remove Unauthorized Admin Users and Fix the Hack

Here’s a step-by-step guide to clean your site:

✅ Step 1: Backup Everything

Before doing anything, create a full backup (files + database) using a plugin or your hosting panel.

✅ Step 2: Delete Unknown Admins

Go to:

Banner
  • phpMyAdmin → wp_users
  • Delete users you don’t recognize
  • Also check wp_usermeta and remove entries with suspicious wp_capabilities

✅ Step 3: Scan with Security Plugins

Install one of these:

Run a full scan to detect:

  • Infected files
  • Suspicious code
  • Malware injections

✅ Step 4: Manually Check Critical Files

Open and inspect these files:

  • wp-config.php
  • .htaccess
  • /wp-content/themes/your-theme/functions.php

Look for unfamiliar PHP code or base64-encoded strings like: 

phpCopyEditeval(base64_decode("aWYoJGVycm9yX2dldF9sYXN0KCkpIHsg..."));

✅ Step 5: Replace Core WordPress Files

  • Download a fresh copy of WordPress
  • Delete all files except:
    • wp-content/
    • wp-config.php
  • Upload and overwrite the remaining core files

✅ Step 6: Change All Passwords

Change your:

  • WordPress admin password
  • cPanel or FTP passwords
  • MySQL database password (and update in wp-config.php)

✅ Step 7: Enable Protection

  • Enable Two-Factor Authentication (2FA)
  • Hide the login URL with a plugin like WPS Hide Login
  • Disable file editing from the dashboard: phpCopyEditdefine('DISALLOW_FILE_EDIT', true);

🧱 How to Prevent Future WordPress Admin Hacks

  1. Never use pirated themes/plugins
  2. Keep WordPress core, plugins, and themes updated
  3. Install a trusted security plugin
  4. Use SSL (https)
  5. Change login URL from /wp-login.php to something unique
  6. Limit login attempts with brute force protection
  7. Use reliable hosting with malware scanning

🧾 Final Thoughts

A WordPress Admin Hack can silently destroy your website’s security, SEO, and reputation. If admin users are being created without your consent, the problem is deeper than just wp-admin. It involves backdoors, malicious code, and database manipulation.

To stop unauthorized admin creation in WordPress, you need to:

  • Scan thoroughly
  • Clean infected files
  • Reinforce your defenses

The key is regular maintenance, timely updates, and good hosting.