Introduction

If an admin password reset email is going to an attacker-controlled address, the problem is no longer just account recovery. It means the account metadata, admin email routing, or underlying site control has already been altered. The fix is to secure the environment first, re-establish trusted ownership of the affected account, and investigate how the attacker changed the recovery path.

Symptoms

  • Password reset messages are sent to an unknown or altered admin email address
  • The site's admin email or user profile email changed without authorization
  • Recovery attempts fail because the attacker now controls the reset destination
  • Suspicious account changes, plugin changes, or login events appeared beforehand
  • Other signs of compromise are present, such as rogue admins or modified settings

Common Causes

  • An attacker changed the admin user's email address after obtaining access
  • The site's global admin email setting was altered to route notifications elsewhere
  • A compromised plugin, database edit, or direct admin action changed recovery data
  • Email forwarding or mailbox control outside the application was also compromised
  • The site is already under broader administrative compromise

Step-by-Step Fix

  1. Treat the incident as active account compromise and secure administrator access before relying on the normal password reset flow.
  2. Verify whether the changed reset destination comes from the user profile email, the site's admin email, or a deeper mail routing compromise.
  3. Restore trusted control of the affected admin account through a safe recovery path such as direct database or hosting-level administrative access.
  4. Rotate passwords, session tokens, and related credentials for privileged users and supporting infrastructure.
  5. Review the site for rogue admin accounts, plugin changes, database tampering, and other signs the attacker modified account recovery data.
  6. Check mailbox security and forwarding rules if the legitimate admin address may also have been compromised.
  7. Audit recent logins, settings changes, and privilege escalations to understand how the attacker gained the ability to reroute resets.
  8. Re-test password recovery only after trusted ownership of the account and email path has been restored.
  9. Finish with hardening measures such as stronger admin protection, MFA where available, and monitoring for future unauthorized profile changes.