Title: Admin users created at will with WordPress Last modified: May 10, 2025 --- # Admin users created at will with WordPress * [salescart](https://wordpress.org/support/users/codeaholic/) * (@codeaholic) * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/) * How can an admin user be created at will within wordpress. I have even deleted wp-admin and still wordpress admins keep getting added. How is this possible? * ![](https://wordpress.org/0b9f9e37-0d6d-494f-a098-a051fef72a40) Viewing 12 replies - 1 through 12 (of 12 total) * Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/) * (@sterndata) * Volunteer Forum Moderator * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18459798) * It looks like you haven’t clean up the prior hacks on your site. Given your history, I suspect there’s a weakness in your hosting setup. * [Md Asadullah Galib](https://wordpress.org/support/users/asadullah96/) * (@asadullah96) * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18459799) * Hi [@codeaholic](https://wordpress.org/support/users/codeaholic/), * If you delete the “wp-admin”, WordPress still stores all of its users and their capabilities in the database. And someone having database expertise may insert the user manually. * Are you getting unknow users on the site? Are they are created without your concern? * Would you like to share more details? Specially if you share use-cases, it would be easy to share the solutions. Let us know, if you need more helps. Regards * Thread Starter [salescart](https://wordpress.org/support/users/codeaholic/) * (@codeaholic) * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18459804) * I’m running the wordfence plug-in which verifies everything is cleaned up and repairs all files. I also deleted all of the WordPress extra folders and had them all reinstalled. * Moderator [threadi](https://wordpress.org/support/users/threadi/) * (@threadi) * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18459821) * As I recommended here 6 months ago, you should have deleted the project sooner and restored it from a clean backup: [https://wordpress.org/support/topic/hacked-over-and-over-again/#post-18123580](https://wordpress.org/support/topic/hacked-over-and-over-again/#post-18123580) * Because even if you have installed and use WordFence, a hacker can hide from their scans. Since WordFence is installed in the hacked system itself, this would be very easy to do. * Apart from that, as [@sterndata](https://wordpress.org/support/users/sterndata/) wrote, it could also be due to your hosting. You should change all access data there (FTP, database, hosting itself … etc.pp). * Since a lot of time has passed in the meantime, you will probably no longer have clean backups of the project. And if you do, they will be very, very old. I therefore see 2 possibilities for you: - Change the access data in your hosting. Wait some time and check if the hack re-occures. - Find someone who can help you personally to clean up your project. This can be a very time-consuming and sometimes costly process. You can certainly find someone like that here: [https://jobs.wordpress.net/](https://jobs.wordpress.net/) - Delete the project completely and set it up from scratch. You may be able to find old content via [https://web.archive.org](https://web.archive.org). * Thread Starter [salescart](https://wordpress.org/support/users/codeaholic/) * (@codeaholic) * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18459833) * I have been restoring from a clean backup EVERY time. The same backup from 2018. I have all the original content including the database backups from 2018. The site starts out clean but it is only a matter of time before it is hacked again. WordPress is very easy to hack. Not only did I start with a backup from 2018, but I deleted all of the wordpress and started with the latest version of wordpress. Then I added WordFence and have run multiple scans including comprehensive scans where it compares files and replaces them. The Wordfence scan is clean. It fact, it is what notified me that someone simply added an admin account. This is all new install of mySQL as well with all updated root username and password. They still walk right into this software like it is hackware. - This reply was modified 1 year, 1 month ago by [salescart](https://wordpress.org/support/users/codeaholic/). * Moderator [threadi](https://wordpress.org/support/users/threadi/) * (@threadi) * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18459835) * Then it is probably related to one of the plugins you are using. Which ones have you installed (and not necessarily activated)? Which theme are you using? * Thread Starter [salescart](https://wordpress.org/support/users/codeaholic/) * (@codeaholic) * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18460486) * I have been hosting websites longer than wordpress has existed or that the wordpress domain has been registered. I started with FrontPage websites which were never hacked. * I’ve got like 4 WordPress websites on my servers. They are all hacked at will and have been since inception from Day 1 relentlessly through a generation of mySQL, PHP and Microsoft servers, and from virtually no plugins to 5 or 6 plugins. From tight permissions where you can’t even install a plugin or an update to recommended permissions. [https://brudtkuhl.com/blog/wordpress-iis-permissions-updates-permalinks/](https://brudtkuhl.com/blog/wordpress-iis-permissions-updates-permalinks/)**** Mind you nothing else and no other websites have ever been hacked except when someone’s username was compromised or something obvious. It doesn’t matter what I do. These are the current plugins: * ```wp-block-code Ninja FormsNinja Forms is a webform builder with unparalleled ease of use and features.Version 3.10.1 | By Saturday Drive | View detailsSimple Custom CSSAdd CSS | DeactivateThe simple, solid way to add custom CSS to your WordPress website. Simple Custom CSS allows you to add your own styles or override the default CSS of a plugin or theme.Version 4.0.7 | By John Regan | View detailsSimple Disable XML-RPCDeactivate | SettingsSimple Disable XML-RPC is a user-friendly WordPress plugin that empowers website administrators to easily control and secure their site by enabling or disabling the XML-RPC functionality. With a simple toggle switch, this plugin helps protect your WordPress site from potential XML-RPC-related security threats, enhancing your website's overall safety and performance.Version 1.3.5 | By WordPress Satkhira Community | View details Wordfence SecurityUpgrade To Premium(opens in new tab) | DeactivateWordfence Security - Anti-virus, Firewall and Malware ScanVersion 8.0.5 | By Wordfence | View detailsWP Sitemap PageAdd a sitemap on any page/post using the simple shortcode [wp_sitemap_page]Version 1.9.5 | By Tony Archambeau | View details | Settings | DonateSelect WPCode Lite Easily add code snippets in WordPress. Insert scripts to the header and footer, add PHP code snippets with conditional logic, insert ads pixel, custom content, and more.Version 2.2.7 | By WPCode | View details ``` * Moderator [threadi](https://wordpress.org/support/users/threadi/) * (@threadi) * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18460491) * The plugins are at least up to date and therefore rather inconspicuous. What are you doing with “Select WPCode Lite”? Does it contain individual PHP code and if so, which code? * Are you using a child theme and if so, does it also contain individual code? * Thread Starter [salescart](https://wordpress.org/support/users/codeaholic/) * (@codeaholic) * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18460503) * I have taken a copy of the parent theme,. SKT IT Consultant and created a child theme. Only the smallest of changes to the style sheet to make it look differently. I use code snippets to: * [**Completely Disable Comments**](http://www.comcity.com/wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=12574) Everywhere. Because that seems to be another hack in WordPress. Even when you have no “forum” in your website, people can somehow still make comments. Modify the header to add LivePerson support. * Thread Starter [salescart](https://wordpress.org/support/users/codeaholic/) * (@codeaholic) * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18460504) * [@asadullah96](https://wordpress.org/support/users/asadullah96/) How are they doing that? * Moderator [threadi](https://wordpress.org/support/users/threadi/) * (@threadi) * [1 year, 1 month ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18460987) * What does this snippet you are using look like? * You can reliably deactivate comments in WordPress without something like this. Firstly, you have to remove the setting under Settings > Discussion. Secondly, deactivate the comments for all posts created up to that point – [there are helpful plugins](https://wordpress.org/plugins/tags/disable-comments/) for this last step that you only need to run once. * > Modify the header to add LivePerson support. * What does this mean? * Again as a hint: due to your often not far-reaching answers, I would again recommend that you look for someone who can look at your project with you personally. This would give someone else the chance to look at the project from a completely different perspective and possibly recognize more quickly where the hacks are coming from. You can find someone like that here, for example: [https://jobs.wordpress.net/](https://jobs.wordpress.net/) * Thread Starter [salescart](https://wordpress.org/support/users/codeaholic/) * (@codeaholic) * [1 year ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18471714) * I already have comments deactivated in settings. The hackers were still adding comments. That’s why the people who originated the plugin originally created it because that feature as well is routinely hacked on WordPress. Like I said I have been doing this for awhile and WordPress is the most hacked piece of software ever created. In fact, at my other job, the security team doesn’t allow WordPress anyone in the agency. With the plugin the comment hacking stopped. Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘Admin users created at will with WordPress’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 13 replies * 4 participants * Last reply from: [salescart](https://wordpress.org/support/users/codeaholic/) * Last activity: [1 year ago](https://wordpress.org/support/topic/admin-users-created-at-will-with-wordpress/#post-18471714) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics