Home About Categories My Work Contact Search RSS
Home Posts Delete users from WordPress database

Delete users from WordPress database

May 30, 2023
WordPress , MySQL

I just finished a new job to clean a WordPress website that was compromised with malicious codes. While investigating I noticed that there were several unidentified admin users created on the WordPress website from the infected code.

This is a very common issue for compromised WordPress websites.

The best solution is to remove all these unidentified admin users from the WordPress MySQL database and all their respective instances too. Here is the step-by-step process.

Note: for referene purpose, I have used table prefix as wp_. In your case, you need to use your actutal table prefix.

Delete user meta (capabilities, roles, etc.)

DELETE FROM wp_usermeta WHERE user_id IN (4,5,6,7,8);

Delete users

DELETE FROM wp_users WHERE ID IN (4,5,6,7,8);

Reassign posts to admin (recommended)

Replace 1 with your main admin user ID

UPDATE wp_posts SET post_author = 1 WHERE post_author IN (4,5,6,7,8);

Delete all their posts

DELETE FROM wp_posts WHERE post_author IN (4,5,6,7,8);

Delete comments by those users

DELETE FROM wp_comments WHERE user_id IN (4,5,6,7,8);

Clean comment meta (optional but good)

DELETE cm FROM wp_commentmeta cm LEFT JOIN wp_comments c ON cm.comment_id = c.comment_ID WHERE c.comment_ID IS NULL;

Clean orphaned usermeta (optional, extra safety)

DELETE um FROM wp_usermeta um LEFT JOIN wp_users u ON um.user_id = u.ID WHERE u.ID IS NULL;

Extra Security Check (VERY IMPORTANT)

After cleanup, check if database still has hidden admin roles:

SELECT * FROM wp_usermeta WHERE meta_key = 'wp_capabilities' AND meta_value LIKE '%administrator%';

If any unknown users still appear, do investigate immediately.