Came across an interesting hack yesterday, which was a new one on me.

I noticed a site I had been working on had been hacked into and some redirect crap added to it.
There was some folders full of redirect junk sitting in the WP root and some nasty little redirect rules pertaining to them in the htaccess. So I get rid of all of that and went about trying to find how they got in. Nothing seemed disturbed in the functions or plugins, nor was there anything weird going on in the head or footer. Assuming there was something evil in the wp-admin or includes etc, I proceeded to try and upgrade WP but had no access in the backend. On logging in, I noticed I had my usual admin login and password, and I was the only admin user. But I had no access to plugin deactivation or WP upgrades. But my user role was good and I couldn’t see anything screwing with it, or any redirection etc blocking me other than the standard “you do not have access to this page”, even though I was admin. Looking through the folder structure, there was no mu-plugin messing with things, no unusual functions acting up. Can you guess what the problem was?

The hacker had converted the site to multisite using (presumably) the wp-config file and then given themselves super-admin access. Amazing! I just would never have thought of that. So once I removed the multisite directive in the config file I was back to a single site setup and was able to control things again.

So if you have admin but no ability to deactivate plugins or update WP version when you should, check if that sneaky hacker has actually converted your site to multisite. The cheek!