Tag Archives: hacked

Tag Archives: hacked

Deleting bulk users on WordPress

Deleting bulk users on WordPress

First, let me say thank you to WP Beginner for their EPIC tutorials and guides to fixing/managing/improving/innovating in WordPress. Without resources like theirs, developers like me would be fumbling in the dark with trial and error solutions. 🙂

We were recently hired to clean up an old hacked WordPress website and prepare it for new development. Our normal protocol is to lock up WordPress vulnerabilities, namely that old “Leave a Reply” functionality that enables users to make comments on blog/news articles. Well, that’s almost always a no-no for about a decade now as it leads to URL injections, spam and worse, hacks.

Deleting 10,000 fake subscribers from a website is no easy task. If it’s just 50-100-200, you can manually delete using WP Beginner’s tutorial – Method 2: Manually Deleting WordPress Users with Specific Roles. {Scroll down}

The faster way is using a free plugin called Bulk WP > Bulk Delete Users. 

Method 1: Bulk Delete WordPress Users with Specific Roles Using Plugin

The default way to bulk delete users with specific roles is quite simple. However, sometimes you may need to select users based on other criteria as well.

For example, you may want to delete users that haven’t logged in for a while, or users who signed up during a specific period of time.

In such a situation, the default user management tools will not be enough. Luckily, there are plugins that allow you to efficiently perform bulk tasks.

Let’s see how to delete users with specific roles using a plugin.

First thing you need to do is install and activate the Bulk Delete plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit Bulk WP » Bulk Delete Users page.

Bulk delete users

Here you can select Bulk Delete options for deleting users. First, you can select the specific user roles. After that you can select the filtering options.

You can restrict bulk delete to users…

  • Who have registered in a given number of days.
  • Users who haven’t logged in the last __ of days.
  • Only if user doesn’t have any post.
  • Only delete first __ users.

You can also select users by meta data.

Scroll down a little to the ‘By User Meta’ box. In this box, you can select meta fields and use conditional operators to compare their values.

Bulk delete users by user meta data

Click on the Bulk Delete button and the users matching the specific criteria will be deleted.


Method 2: Manually Deleting WordPress Users with Specific Roles

This method is simpler and does not require you to install any plugin.

Simply go to the Users page on in your WordPress admin area. You will notice the list of users registered on your WordPress site.

Users page in WordPress

On top of the list, you will see the links to different user roles. When you click on a user role, it will show you the list of users with that specific user role.

This page only displays 20 users at a time. If you have more user accounts that you want to delete, then click on the Screen Options tab on the top right corner of the screen.

This will bring a fly-down menu where you can set the ‘Number of items per page’.

Show more items on the users page

For example, we want to delete users with subscriber user role, and there are 144 users with that role. We will enter 144 in the number of items per page field.

Click on the ‘Apply’ button, and the page will reload showing all user accounts with the subscriber user role.

Now you need to click on the select all checkbox next to the Username column to select all items displayed on the page.

Bulk select users you want to delete

If you don’t want to delete some users, then you can uncheck them now.

Once you are ready, click on the ‘Bulk Actions’ menu and then select ‘Delete’. After that click on the Apply button and WordPress will delete all selected user accounts.

If the user accounts you are trying to delete have created posts, then you will be asked what you want to do with those posts.

Delete or attribute content

You can select to delete all content created by those users or attribute it to an existing user account.

Click on the confirm deletion button to continue.

WordPress will now delete all selected users accounts from your site.

This method will work for a few hundred users, but if you have thousands of users, then you don’t want to adjust the screen options because it can potentially overload your server.

Instead you need to use Method #2.

If you liked this article, then please subscribe to WP Beginner’s YouTube Channel for WordPress video tutorials. You can find them on Twitter and Facebook!

Read More »

WordPress Site Hacked – What do I Do?

WordPress Site Hacked – What do I Do?

Yes, it happens.

For starters, you don’t cry and you certainly don’t ignore it. Don’t get angry (well, it’s actually a source to channel some great Spartan workouts, but that’s another discussion). You can do this. We’re either going to RECOVER ourselves or we’re going to hire someone to do it. The more you know what’s involved the less overwhelming it will be (on the other side of FEAR is knowledge). 🙂

If you are here for PREVENTION, click HERE:


Go here: http://www.google.com/intl/en/webmasters/hacked/ to see a video Google created that explains everything!

  • How and why sites are hacked
  • Process to recover a site and remove the user-facing warning label
  • Time-to-recovery depends on extent of damage and technical skill of administrator
  • Two options:
    • Do it yourself
    • Get help from specialists


Do you have skills and are doing yourself? Follow the below. Otherwise, do get yourself a good professional recommendation from your network. We’re happy to help walk you through the steps for a nominal fee.


1. Contact Hosting Company to determine shared server is secure with infection or if its just you who is toast. If yes, request change server. If you have money, go to shared virtual server which attracts more serious clients. If you have even more money, get a dedicated server!

2. Log into Google Webmaster Tools launched (specialists know how to do) – will be using tools to review and fix search

3. Assess the Damage and Identify the Vulnerability.

  • Compare WordPress code to the original source (hidden malware pops out as a big ugly difference)
  • Compare theme code to the original source
  • Remove any malware found

4. Clean and Maintain your site

  • Update WordPress to the latest version. Doing this ensures that there are no security loopholes, which I’m sure there was!
  • Remove unused themes from WP
  • Update WP Theme, create child theme to protect existing customization
  • Update all plugins and remove any unused ones
  • Install Sucuri Malware protection plugin which monitors that no files are changed, prevents hackers from accessing certain files & hides them, etc.
  • Remove any open contact forms where URL injections could have taken place and use 3rd party secure tools like JotForm
  • Review MySQL database and determine what cleansing needs to take place.
  • Determine if we can safely add .htaccess code to disable PHP execution in subdirectories

5. Request a Review at Google Webmaster Tools!

Read More »