#!/usr/bin/env bash
# wp-fake-admin-detect.sh, find suspicious admin accounts and the mechanisms that create them.
# Source: https://techearl.com/wordpress-fake-admin-users
# Site:   https://techearl.com/
# Reports only; does NOT delete.
#
# Usage: ./wp-fake-admin-detect.sh /path/to/wordpress

set -e
WP_ROOT="${1:-$PWD}"
PREFIX=$(grep -oE "table_prefix\s*=\s*['\"][^'\"]+" "$WP_ROOT/wp-config.php" | sed -E "s/.*['\"]//")
PREFIX="${PREFIX:-wp_}"

echo "========================================="
echo "  Fake Admin Detection Pass"
echo "  WP root:      $WP_ROOT"
echo "  Table prefix: $PREFIX"
echo "========================================="

# 1. All current admin accounts, most recent first
echo
echo "--- 1. All administrator accounts (most recent first) ---"
wp db query "SELECT u.ID, u.user_login, u.user_email, u.user_registered \
  FROM ${PREFIX}users u \
  JOIN ${PREFIX}usermeta m ON u.ID = m.user_id \
  WHERE m.meta_key = '${PREFIX}capabilities' \
    AND m.meta_value LIKE '%administrator%' \
  ORDER BY u.user_registered DESC" \
  --path="$WP_ROOT" --allow-root

# 2. Admin accounts with no posts (possible backdoor)
echo
echo "--- 2. Admin accounts with zero published posts (possible backdoor) ---"
wp db query "SELECT u.ID, u.user_login, u.user_email, u.user_registered, \
  (SELECT COUNT(*) FROM ${PREFIX}posts p WHERE p.post_author = u.ID AND p.post_status = 'publish') AS pub_posts \
  FROM ${PREFIX}users u \
  JOIN ${PREFIX}usermeta m ON u.ID = m.user_id \
  WHERE m.meta_key = '${PREFIX}capabilities' \
    AND m.meta_value LIKE '%administrator%' \
  HAVING pub_posts = 0 \
  ORDER BY u.user_registered DESC" \
  --path="$WP_ROOT" --allow-root

# 3. Suspicious email patterns
echo
echo "--- 3. Admin accounts with throwaway-looking email patterns ---"
wp db query "SELECT u.ID, u.user_login, u.user_email, u.user_registered \
  FROM ${PREFIX}users u \
  JOIN ${PREFIX}usermeta m ON u.ID = m.user_id \
  WHERE m.meta_key = '${PREFIX}capabilities' \
    AND m.meta_value LIKE '%administrator%' \
    AND (u.user_email REGEXP '@(yopmail|mailinator|guerrillamail|tempmail|10minutemail|throwawaymail|maildrop|trashmail)\\.' \
         OR u.user_email REGEXP '^[a-z]{4,}[0-9]{3,}@(gmail|yahoo|outlook|protonmail)\\.')" \
  --path="$WP_ROOT" --allow-root

# 4. Backdoor file scan: PHP files calling wp_create_user
echo
echo "--- 4. PHP files calling wp_create_user / wp_insert_user (review each) ---"
grep -rlnE "wp_(create|insert)_user\s*\(|add_user_to_blog\s*\(" \
  "$WP_ROOT/wp-content/" --include="*.php" 2>/dev/null \
  | grep -vE "wp-content/(plugins/woocommerce|plugins/buddypress|plugins/wpforms|plugins/gravityforms)" \
  | head -20

# 5. Scheduled cron events
echo
echo "--- 5. WP-Cron scheduled events (look for unrecognized hooks) ---"
wp cron event list --format=table --fields=hook,next_run_relative \
  --path="$WP_ROOT" --allow-root 2>/dev/null | head -30

# 6. Multisite super-admin list
echo
echo "--- 6. Network super-admins (if multisite) ---"
wp db query "SELECT meta_value FROM ${PREFIX}sitemeta WHERE meta_key = 'site_admins'" \
  --path="$WP_ROOT" --allow-root 2>/dev/null || echo "  (not a multisite install)"

echo
echo "========================================="
echo "  Review each section. Cross-reference"
echo "  the admin list against admins you"
echo "  recognize. Anything else is a candidate."
echo "========================================="