Skip to content

wp_admin_role_granted

Severity: Critical Signal: wp.user — user role changed to administrator

What this signal means

A WordPress user's role was changed to administrator. This grants full control over the site including plugin installation, file editing, and user management.

What surprise this prevents

An attacker escalating privileges quietly — granting admin access to a compromised account before you notice unusual activity.

Why it matters

Admin role grants are high-impact changes. If this was unexpected, it could indicate an attacker has gained partial access and is escalating privileges, or that a compromised plugin or theme modified user roles programmatically.

Investigate

View entity alerts in Logystera →

Check the alert payload for:

  • payload.user_login — which user was promoted?
  • payload.user_id — cross-reference in WordPress.
  • labels.actor — who was logged in when this happened?

In WordPress admin, go to Users → All Users, filter by Administrator, and check the date each admin account was last active.

  1. Verify the role change was intentional. Contact the person who made the change and confirm.
  2. If unexpected, immediately demote the user:
  3. Go to Users → All Users.
  4. Click Edit on the suspect account.
  5. Change the role from Administrator to a lower role, or delete the account.
  6. Audit recent admin activity — go to your activity log plugin or check WordPress action scheduler.
  7. Check for unknown admin accounts added around the same time.
  8. Review recently installed or updated plugins — a compromised plugin could be creating admin accounts. Go to Plugins and sort by recently updated.
  9. Change all admin passwords if the source of the change is unclear.

When to safely ignore

If you or a team member intentionally promoted a user and the labels.actor matches a known admin, no action is required. The alert exists to catch cases where this change was not deliberate.

Signal reference

{
  "event_type": "wp.user",
  "payload": {
    "type": "role_changed",
    "user_id": 42,
    "user_login": "john",
    "old_role": "editor",
    "new_role": "administrator"
  }
}