I have a client with a Wordpress website currently hosted on Siteground. They are worried that someone else has access to their Wordpress admin user account (only one user I can see in the back end) and also possibly their Siteground account.

I wanted to suggest just change passwords for both of these sites but wanted to confirm, would this be enough? Or create a new full admin account in Wordpress then delete the other altogether?

Is there a guaranteed way to remove any possible access to everyone but the client?

I have a client with a Wordpress website currently hosted on Siteground. They are worried that someone else has access to their Wordpress admin user account (only one user I can see in the back end) and also possibly their Siteground account.

I wanted to suggest just change passwords for both of these sites but wanted to confirm, would this be enough? Or create a new full admin account in Wordpress then delete the other altogether?

Is there a guaranteed way to remove any possible access to everyone but the client?

• admin
• password
• reset
• account

Share Improve this question asked Sep 23, 2019 at 22:32 Adam GilliesAdam Gillies 2311 silver badge55 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

In principle, just resetting the password, plus invoke the "Log out everywhere else" on the user profile, should be enough to prevent benign user knowing the password. Reset the web host customer password, including any associated FTP account password. Use strong and unique passwords.

But, in case any unknown, possibly malicious user, may have had wp-admin, hosting account or FTP access, a backdoor may have been introduced through PHP code. In that case the site must be regarded hacked. See https://wordpress/support/article/faq-my-site-was-hacked/

Any custom PHP code should be reviewed to rule out a backdoor, plus wp itself and all plugins/themes reinstalled from scratch. This is not trivial, requiring an expert.