Was I hacked? Can't log in to Wordpress and weird username
April 30, 2019 2:23 PM   Subscribe

I'm trying to log in to my Wordpress account and it won't recognize my login information. I requested a new password reset and the reset email came to my email address but the username is not me. It says, "Hi PiSh3r" and "username: PiSh3r" Thats not me! If I proceed to reset my password am I allowing them some sort of access? How do I safely navigate this? (PiSh3r? WTF really?)
posted by Vaike to Technology (22 answers total) 3 users marked this as a favorite
Sounds like somebody swiped the account to me, maybe via credential-stuffing. I'd check haveibeenpwned to see if your login has been compromised by one of the zillions of recent breaches. I'd contact their support folks if possible and let them know what's up.
posted by jquinby at 2:27 PM on April 30, 2019 [2 favorites]

Log in now! Hopefully you still have Administrator role. Delete any users you don't recognize. Change your password.

Is this self-hosted, or wordpress.com?
posted by humboldt32 at 2:40 PM on April 30, 2019

Response by poster: Self hosted. Is it safe to go through to change the password from the email they sent? (I can get into my channel and deleted maggie.valera@gmail.com)
posted by Vaike at 2:50 PM on April 30, 2019

What "they"? The lost password is process is generated, and encrypted by WP.

Safe? What choice do you have? (I don't mean that dismissively.)

> I can get into my channel

I'm not sure what you mean by that.

Do you have FTP access to the webspace? When was your last backup?
posted by humboldt32 at 3:02 PM on April 30, 2019 [1 favorite]

Response by poster: Ugh. Sorry, Cpanel. "They" was Wordpress, but addressed to "PiSh3r", not "Vaike". That's what made me nervous to click on it and change the password. And thank you, this kind of stuff makes me panic for some reason...
posted by Vaike at 3:06 PM on April 30, 2019

The relevant part here is the email that the reset was sent to. The change in the username is worrisome, but you need to get in there and look to see what you can find. I can't imagine using the reset link would further compromise you.
posted by humboldt32 at 3:13 PM on April 30, 2019

Response by poster: I just looked at the email they sent me to reset my password and it was from my own email and sent to my own email, and takes me to www.mysite.com/my-account/lost-password/?show-reset-form=true. The last password reset I had a year or so ago, which I know was valid, was from donotreply@wordpress.com
posted by Vaike at 3:15 PM on April 30, 2019

Not sure if this is correct or relevant, but my cPanel username was autogenerated and bizarre. I think it was not this way originally, and then at some point it was and I went through something like what you are going through now.
posted by you must supply a verb at 3:18 PM on April 30, 2019

I encourage you to proceed. I just tested one of my sites. The sender is the email entered into the "Admin Email" field on the WP Settings page. The page you end up at is the correct place, nothing fishy there. You're not entering any sensitive info on that form, therefore no risk. Other notices are delivered with "donotreply@" but not these password resets. I think you're not remembering correctly.

Either way, you need to log in and see what's up, and nothing you're running into looks out of place.
posted by humboldt32 at 3:30 PM on April 30, 2019 [1 favorite]

Response by poster: Thank you for holding my hand humboldt32. I changed the password and am in. The only user is 'PiSh3r' with my email address and listed as administrator. Yet if I look at 'your profile' it does say my username. It says usernames cannot be changed. Do I re-add myself and set myself as an admin then delete the other admin (PiSh3r)?

And, again, thank you.
posted by Vaike at 3:45 PM on April 30, 2019 [1 favorite]

You can either add a new admin & delete the existing one (but be sure to attribute the existing content to the new admin before you click "delete") or you can directly change it in the database using phpMyAdmin.

I'd suggest reading the FAQ My site was hacked. If I were you, I'd install the Wordfence plugin & scan your site.
posted by belladonna at 3:55 PM on April 30, 2019 [3 favorites]

I would create a new account with Administrator privileges and then log out. Log back in with the new administrator and delete the previous user.

That is a bit worrisome about the username differences. Maybe your database has been compromised? Hard to say. Where are you with being up to date with updates to the WP core and plugins?

You might use the plugin Better Search and Replace, and search for Pish3r just to see what turns up.
posted by humboldt32 at 3:57 PM on April 30, 2019

Good advice. I always have WordFence running so I kinda forget about it.
posted by humboldt32 at 3:57 PM on April 30, 2019

Kids these days, I swear.
posted by notquitemaryann at 4:11 PM on April 30, 2019 [3 favorites]

Make sure this script is not still in your WP directory:

edit: jinx! We found that at the same time.
posted by belladonna at 4:17 PM on April 30, 2019 [2 favorites]

Once you have logged in, make sure there aren't any plugins or themes that you didn't personally install.
posted by belladonna at 4:21 PM on April 30, 2019

Response by poster: Ok, fingers crossed everything seems to be back to normal. For future reference:

I created a new admin account, with different email address, logged out, had to generate a new password yet again, got back in, deleted PiSh3r, logged out and in again successfully.

I also contacted my hosting, so they can do what they need to do. (and deleted the fake user in my phpmyadmin)

I searched for PiSh3r and https://pastebin.com/60f9qMr7 with Better Search and Replace, and checked for plugins that I did not install.

I added Wordfence. Any other recommendations for security?

Lastly, I had to use a different email to create an account. Will my WooCommerce, with my original, main email that I've had for 20 years, still be ok? Or would that be compromised now somehow?

Thank you all! (And again, humboldt32)
posted by Vaike at 4:36 PM on April 30, 2019

You can switch your new admin account to use your old email address, now that the original admin has been deleted.

If you use WooCommerce services (linked with Jetpack) go ahead & change that password as well. Check all your payment settings in WooCommerce to make sure the bank account info hasn't been changed.
posted by belladonna at 4:46 PM on April 30, 2019

A couple more small things:

1. In Wordfence, you can change settings to make the brute force protection stronger by auto-banning people who attempt to use usernames such as "admin," "webmaster," etc. as well as lowering the number of incorrect password attempts and raising the temporary ban period after too many incorrect password attempts.

2. For added safety after suspicious behavior, you should also change the salts in your wp-config.php file, which will force logout all currently logged in users (see here for instructions).
posted by p3t3 at 10:27 PM on April 30, 2019 [2 favorites]

If someone's been into your Wordpress they might have added a backdoor to get in again. You can try running a search for 'base64' and seeing if there is any suspiciously obfuscated code in your plugins/themes (Wordfence might catch all that already, I'm not sure).
posted by Gordafarin at 2:29 AM on May 1, 2019

Since the question has been answered, I'll note that 'pisher' is yiddish for "a young, inexperienced, presumptuous person". Like an overconfident young person who doesn't have enough skill to back it up.
posted by softlord at 7:20 AM on May 1, 2019 [1 favorite]

We use a plugin called Bulletproof Security on all of our WordPress sites. It's a massive plugin with a terrible user interface, but it does some FANTASTIC things, including creating a much more secure .htaccess file and killing brute force attacks w/ its Login Security module.

The above advice is great, but just a clarification -- given that you can't change the WordPress user name in the admin, and the user name was changed, this pisher definitely accessed your database.

It sounds like you're taking it very seriously, which is great. If you have a backup sitting around from before this happened, I would suggest restoring it, then securing the crap out of the site. This stuff has a way of coming back to bite you. Not only could you lose your site due to a corrupt database, we've seen domains get blacklisted, and have also seen people end up with severe attacks for years once their site was compromised. So not to be a Negative Nora, but you'll need to remain vigilant for awhile.
posted by nosila at 7:39 AM on May 1, 2019

« Older Calgary in July!   |   I need a dollar... Or a pound Newer »
This thread is closed to new comments.