Introduction

If the WordPress admin email changes without your approval, treat it as a possible account compromise, not a simple settings mistake. Attackers often change the admin email to intercept password resets, lock out the real owner, or prepare for deeper persistence. The right response is to regain control safely, verify what changed, and close the access path before restoring normal operations.

Symptoms

  • WordPress reports that the site admin email or a privileged user email changed unexpectedly
  • Password reset flows send mail to an address you do not control
  • A recent plugin, user, or settings change appears you did not authorize
  • Security logs show suspicious logins, user edits, or database changes
  • Other signs of compromise appear around the same time, such as new users or modified settings

Common Causes

  • An attacker gained access to an administrator account and changed the email in settings or user profiles
  • A compromised plugin or custom code modified site options or user data directly
  • Database credentials or admin access were exposed and used to alter WordPress records
  • An insider or shared access account changed the email without change control
  • Cleanup restored some site files but left the original compromise path open

Step-by-Step Fix

  1. Confirm exactly which email changed, whether it was the site admin email, an individual admin user, or both.
  2. Regain control through the safest remaining trusted path, such as hosting access, database access, or another verified administrator account.
  3. Review WordPress users, recent logins, audit logs, and security plugin records to determine who changed the email and from where.
  4. Check for unauthorized administrators, suspicious plugins, modified theme code, and unexpected option changes that could indicate wider compromise.
  5. Restore the correct admin email only after you have verified you still control the account recovery path and mail delivery destination.
  6. Rotate passwords and session tokens for WordPress admins, hosting, database, SFTP, and any connected identity or mail systems that may be exposed.
  7. Remove unauthorized users, patch vulnerable plugins or themes, and close the original access path before trusting the site again.
  8. Test password reset and admin access flows to confirm recovery messages now go only to approved recipients.
  9. Monitor privileged account changes and admin-setting changes closely for the next several days to ensure the unauthorized edits do not return.