I received the exact same email with the same User IP in Lithuania.
I manually blocked this IP using wordfence – the free version.
This then reported to me:
Republic of Lithuania Republic of Lithuania
IP: 92.62.129.97 [unblock] [permanently blocked]
Reason: Manual block by administrator
Hostname: 92.62.129.97
No attempts have been made to access the site since this IP was blocked.
0 hits before blocked
0 blocked hits
Permanently blocked
If it is correct that there have been no hits before blocked then the email from wordfence is either:
incorrect or a rogue selling technique
anyone with any advice on this would be most welcome
Same thing here. It is happening to 3 of 3 wordpress installations (all have the current release of Wordfence installed). A new user created in each one.
A user with username “backup” who has administrator access signed in to your WordPress site.
User IP: 92.62.129.97
User hostname: 92.62.129.97
User location: Republic of Lithuania
Hi all,
Have you all checked you WordPress users table? On a personal site, I experienced a hack where a new user was created and had to delete the user out of the table.
If a new user has been created, you’ll want to update all themes and plugins.
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Tips from WordPress Codex:
https://codex.wordpress.org/FAQ_My_site_was_hacked
-Brian
Hi Brian, thanks for the tip, on checking my user tables I found 4 entries that should not have been there all with admin rights, one of them was for user “Backup”. I have now deleted these entries.
I’ll now check my site for any signs of hacking although a quick look yesterday didn’t reveal anything.
Paul
