The Sucuri plugin monitors the execution of a WordPress event named “wp_login” which according to the official WordPress documentation [1] is triggered when a user logs in by the “wp_signon” function [2]. It is the very last action taken in the function, immediately following the “wp_set_auth_cookie” call.
So what I think is that something in your site is triggering that event more than once, and the second time is not providing a valid “WP_User” object, that is why the Sucuri plugin creates an alert using the “Unknown” string, because there was no way to determine the username from the event data.
What themes and plugins do you have installed? It is probable that something in the code of one of these addons is affecting the functionality of the user authentication monitor.
[1] http://codex.wordpress.org/Plugin_API/Action_Reference/wp_login
[2] http://codex.wordpress.org/Function_Reference/wp_signon
Thread Starter
Patty
(@patita75)
I am using the wpml language translation plugin. I am wondering if that is what is creating a duplicate.
I do not know that plugin, will install it in my development site to see if I can reproduce the issue, but I believe that is not the cause of that duplication but I am not sure, will have to test first.
