Has your WordPress been hacked? Removed the scripts and cleaned your blog following these WordPress Hacked instructions? It happened to me. I also found a couple of php files uploaded in sneaky places like in the uploads/ folder. I also found a “new” admin user, the username was a script. TIP: Click on edit the user, delete the script, change the role to subscriber, save, then delete the user.
Once I had carried out checks on every folder, updated wordpress and plugins etc, I still had a problem. Hidden admin users.
When you return to your user admin panel do you see more Admin users than are showing? HINT: look at the number in brackets versus the number of admin users listed.
The invisible or hidden users need removing. The only way is to go to your PHPMyAdmin and remove them, here is a quick step by step guide:-
1. Firstly, while on the user page in the admin panel on WordPress, right click on ‘view source’ – find the following:-
<tbody id="the-list" class='list:user'>
Under this will be the users, jot down the numbers of the users you know are correct – which should be all those showing, the number of the user is (for example, 2):-
2 . Go in PHPMyAdmin.
3. On SQL tab, query this:
select * from wp_usermeta where meta_value LIKE ‘%administrator%’;
and delete the row(s) that don’t match the ID# you wrote down as per step 1
4. On SQL tab, query this
select * from wp_usermeta where meta_key=’wp_user_level’ AND meta_value=’10’
and delete the row(s) that don’t match your ID# you wrote down.
5. In your WordPress site, refresh the Users page, and the invisible Admin should have disappeared.
I hope this saves you a bit of time and searching..