You may have already heard that sites running out-of-date versions of WordPress have been under attack (Lorelle, Weblog Tools Collection, WordPress Dev Blog). Of course, sites running the latest version of the software seem to be safe, which once again takes us back to what I said over a year ago: Upgrade or else! I haven’t seen complete details yet about how this new worm works, but reports say that part of the hack is to create a new Administrator level account, and then try to hide the existence of that account (via javascript) when you view your list of users.
If you want a sure-fire way to make sure there are no “extra” administrator accounts registered in your blog, I suggest going straight to the source: your MySQL database. The following SQL query, run against your WordPress database will show you all users who have the Administrator role:
-
SELECT u.ID, u.user_login
-
FROM wp_users u, wp_usermeta um
-
WHERE u.ID = um.user_id
-
AND um.meta_key = 'wp_capabilities'
-
AND um.meta_value LIKE '%administrator%';
Advanced users can run this directly in the command-line MySQL client, or you can do it from phpMyAdmin by selecting your WordPress database and then going to the ‘SQL’ tab to run the query. If you use something other than the standard ‘wp_‘ prefix for your table names, make the appropriate change in the query (three occurrences).
Related posts:
- WordPress 2.6.2 Release
"As most of you have probably already seen in your Dashboard, yesterday afternoon saw the official WordPress 2.6.2 Release. And as mentioned in the comments..." - Efficient permalink strategies for WordPress
" Over the past several days, there has been an interesting discussion on the wp-testers mailing list (though, it really belonged on the wp-hackers list,..." - WordPress Security Update
" We were recently notified of a SQL injection bug in the WordPress code. Matt patched the code and updated the archive on the downloads..." - WordPress Security
" Last week, some reports came out about security bugs in WordPress. The development team has been working to clean these up, and a WordPress..." - Snoopy PHP Webclient Security
" There is a security advisory out regarding a Snoopy PHP Webclient vulnerability. Since WordPress uses Snoopy internally, we immediately double-checked to be sure that..."
17 Comments
Thanks for posting that query. I host blogs for others and because they’re infrequent bloggers, they rarely update. I updated their blog from 2.6.1 today to 2.8.4 and with your query, I verified that, luckily, they were safe.
I tried to copy and paste the query directly but it had the line numbers copied in, so here it is in a single line: SELECT u.ID, u.user_login FROM wp_users u, wp_usermeta um WHERE u.ID = um.user_id AND um.meta_key = ‘wp_capabilities’ AND um.meta_value LIKE ‘%administrator%’;
Thanks again.
Yeah, sorry about the formatting. I didn’t realize until too late that the syntax highlighter plugin that I’m using turns the code into a list in order to get the ability to (optionally) display line numbers.
Thanks for the quick tip!
Once I heard of it, I run to backup my databases and then all I wanted to know was how to find out if I was attacked.
Well, my sites have only 1 user, and I saw it right from phpmyadmin
I’m gonna update some plugins and then upgrade my other site.
Hey Dougal, thnx for sharing this. I just wanted to ask you that, besides running this query, would viewing the users table confirm the same thing. Or Running the query would do the trick
Muhammad,
Dougal’s SQL query shows you data from two tables simaltaneously. You will not see user right’s level from the single wp_users table. You need additionally check wp_user_meta table for admin right of every wp_users table record with the same id. To make it mannually when you have a lot of users is very time consuming, right? That’s why you need the query here.
Thanks for the information Dougal,
I’m somewhat new to wordpress, and blogging in general. Shortly after I put my blog online there was a new version available. I have a tendency to hold off on upgrades with the “If it ain’t broke, don’t fix it” attitude, but this time something told me the upgrade was a wise move.
Thanks again for the support.
~ Orion
I set up a new WP site 2 weeks ago and immediately upgraded to 2.8.4. Unfortunately, hackers got in anyway, set up a new front page and used that as a coverup to set up 2 bank phishing directories deep in the admin and plugins directories. The site has been redone and is, hopefully, more secure.
Today, after reading about the new worm, I searched the rest of the sites I manage (which had all been upgraded to 2.8.4 last week) and found one small one had 2 admin accounts that were visible and 4 that were hidden (visible for about 1/2 second and then gone). I did not readily have the database password to get rid of the bogus admins and didn’t want to wait until I could get to my second office to find the info. I deleted all files, set up a new database, and reinstalled WP. Now there’s just 1 admin, me.
I appreciate every alert that comes out. This one I wouldn’t have caught.Pat
From what I have read in the wordpress link above, this is a very serious hack job because the hacker manages to insert spam (hidden links) into your old post.
When my blog was hacked the hacker inserted hidden links only in the footer and cleaning that wasnt a big problem. I just removed the old install and installed a fresh one. If you have a blog with 1000 plus post and all of them are infected you might have big problem in your hands.
The big problem is when google discovers the spam links, you will be slapped with a penalty and your blog de-indexed until you clean up.
Hello! Thank you so much for this post. I actually found a bunch of users in one of my sites that weren’t supposed to be My webhost warns me that more than 150 emails are being sent per hour, so this issue is somehow affecting my email account by sending emails automatically via my website.
Could someone please tell whether I should do anything other than delete these users in order to stop sending spam involuntarily? Thank you!!
Hmm, interesting. I found a weird username: ‘WordPress’, with admin capabilities and invisibility. Does anybody else have one like this?
I found one site that had a username of WordPress, and another that had a username of ‘admine’
I’ve seen the WordPress user twice now, and now also admins and adminj. wondering if they start with WordPress and then add additional items . . .
Thank you for the query
I found one invisible administrator on my database. I deleted directly on the database.
A thankfull french blogger.
Thanks for pointing this out. I will make a search asap and check even though I am using the latest version of wordpress.
Thanks for pointing this out. I will make a search asap and check even though I am using the latest version of wordpress.
Thank you for tips. I run checking for my own site. It’s OK, cos I just built it 5 mins ago. Thanks
I would like to say thanks for sharing such a nice post. I ‘ll try to check out it.
17 Trackbacks
[...] This post was recently mentioned on Twitter by Amanda Lauter (http://twitter.com/lauter), who said: RT @dougal: New blog post: Checking Your WordPress Security http://bit.ly/xHYrS [this guy knows his stuff - check it out]. [...]
[...] a lot of registered users, you'll want to list out administrators and make sure they're all legit. Dougal Campbell has more details on this. Share this [...]
[...] Dougal Campbell’s Blog Categories : Misc, News Tags [...]
[...] there is any extra admin account for your WordPress account or not. This can be done through a simple SQL query. You need to run this query against your MySQL WordPress DB. There are a couple of ways to run this [...]
[...] Campbell had a good post, Checking Your Wordpress Security, that talks about how to find the current list of accounts having administrative privileges in your [...]
[...] [via Dougal Campbell] [...]
[...] également la requête SQL proposée par Dougal sur son blog. ( dougal.gunters.org [...]
The Great WordPress Attack of 2009: My Thoughts…
On Friday reports began surfacing around the Internet that a new worm was attacking a large number of WordPress installations. It was soon discovered that the problem is a cross-script attacking vulnerability that was ……
[...] got the latest security patch, but a useful tip in this post about running SQL queries direct from [...]
[...] Checking Your Wordpress Security by Dougal Campbell [...]
[...] FORGET to backup your mysql and your files – if you still want to dig deeper and check your db, use this tutorial Share and [...]
[...] Checking Your WordPress Security [...]
[...] and want to be sure that you haven’t fallen prey to the worm’s threat, you can use the query Dougal Campbell has posted to check your wp_users table for administrators. Check the results of [...]
[...] sollte man in phpMyAdmin entweder in der Userdatenbank nachschauen oder einfach folgendem Tipp von Dougal Campell folgen und diese SQL Abfrage laufen [...]
[...] sollte man in phpMyAdmin entweder in der Userdatenbank nachschauen oder einfach folgendem Tipp von Dougal Campell folgen und diese SQL Abfrage laufen [...]