Sounds like somebody swiped the account to me, maybe via credential-stuffing. I'd check haveibeenpwned to see if your login has been compromised by one of the zillions of recent breaches. I'd contact their support folks if possible and let them know what's up.
posted by jquinby at 2:27 PM on April 30, 2019 [2 favorites]

Log in now! Hopefully you still have Administrator role. Delete any users you don't recognize. Change your password.

Is this self-hosted, or wordpress.com?
posted by humboldt32 at 2:40 PM on April 30, 2019

What "they"? The lost password is process is generated, and encrypted by WP.

Safe? What choice do you have? (I don't mean that dismissively.)

> I can get into my channel

I'm not sure what you mean by that.

Do you have FTP access to the webspace? When was your last backup?
posted by humboldt32 at 3:02 PM on April 30, 2019 [1 favorite]

The relevant part here is the email that the reset was sent to. The change in the username is worrisome, but you need to get in there and look to see what you can find. I can't imagine using the reset link would further compromise you.
posted by humboldt32 at 3:13 PM on April 30, 2019

Not sure if this is correct or relevant, but my cPanel username was autogenerated and bizarre. I think it was not this way originally, and then at some point it was and I went through something like what you are going through now.
posted by you must supply a verb at 3:18 PM on April 30, 2019

I encourage you to proceed. I just tested one of my sites. The sender is the email entered into the "Admin Email" field on the WP Settings page. The page you end up at is the correct place, nothing fishy there. You're not entering any sensitive info on that form, therefore no risk. Other notices are delivered with "donotreply@" but not these password resets. I think you're not remembering correctly.

Either way, you need to log in and see what's up, and nothing you're running into looks out of place.
posted by humboldt32 at 3:30 PM on April 30, 2019 [1 favorite]

You can either add a new admin & delete the existing one (but be sure to attribute the existing content to the new admin before you click "delete") or you can directly change it in the database using phpMyAdmin.

I'd suggest reading the FAQ My site was hacked. If I were you, I'd install the Wordfence plugin & scan your site.
posted by belladonna at 3:55 PM on April 30, 2019 [3 favorites]

I would create a new account with Administrator privileges and then log out. Log back in with the new administrator and delete the previous user.

That is a bit worrisome about the username differences. Maybe your database has been compromised? Hard to say. Where are you with being up to date with updates to the WP core and plugins?

You might use the plugin Better Search and Replace, and search for Pish3r just to see what turns up.
posted by humboldt32 at 3:57 PM on April 30, 2019

Good advice. I always have WordFence running so I kinda forget about it.
posted by humboldt32 at 3:57 PM on April 30, 2019

Kids these days, I swear.
posted by notquitemaryann at 4:11 PM on April 30, 2019 [3 favorites]

Make sure this script is not still in your WP directory:
https://pastebin.com/60f9qMr7

edit: jinx! We found that at the same time.
posted by belladonna at 4:17 PM on April 30, 2019 [2 favorites]

Once you have logged in, make sure there aren't any plugins or themes that you didn't personally install.
posted by belladonna at 4:21 PM on April 30, 2019

You can switch your new admin account to use your old email address, now that the original admin has been deleted.

If you use WooCommerce services (linked with Jetpack) go ahead & change that password as well. Check all your payment settings in WooCommerce to make sure the bank account info hasn't been changed.
posted by belladonna at 4:46 PM on April 30, 2019

A couple more small things:

1. In Wordfence, you can change settings to make the brute force protection stronger by auto-banning people who attempt to use usernames such as "admin," "webmaster," etc. as well as lowering the number of incorrect password attempts and raising the temporary ban period after too many incorrect password attempts.

2. For added safety after suspicious behavior, you should also change the salts in your wp-config.php file, which will force logout all currently logged in users (see here for instructions).
posted by p3t3 at 10:27 PM on April 30, 2019 [2 favorites]

If someone's been into your Wordpress they might have added a backdoor to get in again. You can try running a search for 'base64' and seeing if there is any suspiciously obfuscated code in your plugins/themes (Wordfence might catch all that already, I'm not sure).
posted by Gordafarin at 2:29 AM on May 1, 2019

Since the question has been answered, I'll note that 'pisher' is yiddish for "a young, inexperienced, presumptuous person". Like an overconfident young person who doesn't have enough skill to back it up.
posted by softlord at 7:20 AM on May 1, 2019 [1 favorite]

We use a plugin called Bulletproof Security on all of our WordPress sites. It's a massive plugin with a terrible user interface, but it does some FANTASTIC things, including creating a much more secure .htaccess file and killing brute force attacks w/ its Login Security module.

The above advice is great, but just a clarification -- given that you can't change the WordPress user name in the admin, and the user name was changed, this pisher definitely accessed your database.

It sounds like you're taking it very seriously, which is great. If you have a backup sitting around from before this happened, I would suggest restoring it, then securing the crap out of the site. This stuff has a way of coming back to bite you. Not only could you lose your site due to a corrupt database, we've seen domains get blacklisted, and have also seen people end up with severe attacks for years once their site was compromised. So not to be a Negative Nora, but you'll need to remain vigilant for awhile.
posted by nosila at 7:39 AM on May 1, 2019

This thread is closed to new comments.