Dougal Campbell's geek ramblings

You may have already heard that sites running out-of-date versions of WordPress have been under attack (Lorelle, Weblog Tools Collection, WordPress Dev Blog). Of course, sites running the latest version of the software seem to be safe, which once again takes us back to what I said over a year ago: Upgrade or else! I haven’t seen complete details yet about how this new worm works, but reports say that part of the hack is to create a new Administrator level account, and then try to hide the existence of that account (via javascript) when you view your list of users.

If you want a sure-fire way to make sure there are no “extra” administrator accounts registered in your blog, I suggest going straight to the source: your MySQL database. The following SQL query, run against your WordPress database will show you all users who have the Administrator role:

SELECT u.ID, u.user_login
FROM wp_users u, wp_usermeta um
WHERE u.ID = um.user_id
AND um.meta_key = 'wp_capabilities'
AND um.meta_value LIKE '%administrator%';

Advanced users can run this directly in the command-line MySQL client, or you can do it from phpMyAdmin by selecting your WordPress database and then going to the ‘SQL’ tab to run the query. If you use something other than the standard ‘wp_‘ prefix for your table names, make the appropriate change in the query (three occurrences).