WordPress problem fix
An admin account you did not create is a confirmed backdoor. We remove it, audit every other account, and close the way in, usually within hours.
If you opened wp-admin or your users table and found an account like wp_adminerlzp, adminer, wpsupport, or any admin you did not create, the site has a planted backdoor. Attackers add a hidden admin so they can return after a partial cleanup. The fix is not to just delete the user. You remove it, audit every other admin account, rotate keys and salts, check for matching backdoor files in wp-content, and close the entry point that let them in, often an outdated plugin. Most cleanups finish within a few hours.
If any of these match, you are on the right page.
Strange admin account in Users or wp_users table
Account email is a throwaway gmail or random address
User registered date predates anything you remember
Site was recently flagged for malware or weird redirects
It is a hidden WordPress administrator account commonly planted by malware. The name varies. The pattern is the same: an admin you did not create, with a throwaway email, often hidden from the normal users list by a malicious must use plugin.
Almost always through an outdated plugin or theme vulnerability, or a backdoor file left in wp-content from an earlier compromise. The hidden user is planted so attackers can return after a casual cleanup.
No. The file or database trigger that created it will recreate it. You have to remove the user, find the backdoor that made it, patch the entry point, and rotate all secrets.
The real method, in the order it works.
Snapshot the database and files before touching anything.
Delete the hidden admin from wp_users and wp_usermeta directly.
Scan wp-content/mu-plugins, uploads, and active theme for the file that recreates it.
Reinstall core, plugins, and themes from official sources.
Rotate keys and salts in wp-config, force a password reset for every real admin.
Real fix, from our work
On a fleet cleanup I opened the users table and saw an admin called wp_adminerlzp with a gmail throwaway. I deleted it through SQL, expecting it gone. Five minutes later it was back. The trigger was a one line php file dropped into mu-plugins, which runs before everything else. I removed the file, wiped mu-plugins clean, reinstalled core and plugins fresh from wordpress.org, rotated salts, and the hidden user stopped coming back.
Written by Ali Yasin Jatoi
Founder of WebCare Studios. Ali has worked with WordPress for more than 10 years, including managing a fleet of 150+ sites with WP-CLI automation for updates, security cleanup, and malware removal. He has hands on experience across major hosts including Cloudways, A2 Hosting, Hostinger, and Bluehost.
Site down, hacked, or broken checkout gets a senior engineer within 4 hours. No ticket queues, no bots.
Flat quote up front. If we cannot get you back online, you do not pay. Risk sits with us, not you.
We work on a snapshot first and never touch your live database until the fix is verified safe.
We run a fleet of WordPress sites every day. The errors you are seeing are ones we have closed hundreds of times.
No. Only the planted account is removed. Genuine admins keep their access. We do force a password reset to be safe in case credentials were also exposed.
We pull the users table directly through the database, not the Users page, since malicious must use plugins can hide rows from the admin UI. If it is in the database we will see it.
Only if the original entry point stays open. That is why we patch the vulnerable plugin or theme, remove every backdoor file, and rotate keys, not just delete the user.
Two fields. Email and your URL. A senior WordPress engineer reads it within minutes and replies on email and WhatsApp with what is wrong and what we will do next.