Support » Plugin: Wordfence Security - Firewall & Malware Scan » “Admin” Created Outside of WordPress

  • Resolved Jonathon Harris

    (@demo38ltd)


    Started getting a notification in the Wordfence scan that an Admin user with the name ‘admin’ was created outside of WordPress. Obviously could be a concern, so digging in…

    The odd thing is, we already have a dummy ‘admin’ user account with subscriber level access, and WordFence is set to automatically block users that try to log in using ‘admin’.

    Everything’s kept up to date, no apparent issues, nothing in the logs with unwanted logins, security scans are all clean.

    Even checking the database directly, in both the Users table and the administrator capabilities, the only Admin users in the database are the actual Admins that should be there (and those same users are listed correctly in the WordPress admin as well.

    Any thoughts why WF would be triggering?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @demo38ltd and thanks for reaching out to us!

    I sometimes see this on some hosts when they are checking into your site for information. If you are using the Immediately block the IP of users who try to sign in as these usernames feature with admin, this will only work if the username admin does NOT exist on the site user base.

    Reach out to your host to see if they would be creating these admin accounts to check content on your site.

    Let me know what you find!

    Thanks!

    Thread Starter Jonathon Harris

    (@demo38ltd)

    Hello, thanks for the quick reply – I checked with the web host, and they said they don’t access the database unless requested through support ticket.

    Still, the only ‘admin’ named account I see in the database is the dummy account (subscriber level) that I set up inside WordPress.

    Any thoughts? I don’t want to ignore it if there’s an issue – I’m just not seeing anything of a cause, so want to make sure it’s a false positive.

    Plugin Support WFAdam

    (@wfadam)

    The “admin created outside of WordPress” warning happens when Wordfence doesn’t have a record of the admin having been created. So this will happen either if the admin was created directly via the database as opposed to inside of the WordPress administrative interface or it can happen if Wordfence is deactivated while the admin is created.

    If you want to avoid it you’d have to create the WordPress user inside of WordPress and while Wordfence is activated. If you know that you’ve created the admin it’s perfectly safe to ignore the warning though.

    Did you happen to create the dummy admin account during a time when Wordfence was not installed or disabled?

    Thanks again!

    Thread Starter Jonathon Harris

    (@demo38ltd)

    Thanks for the follow up – that’s the odd thing, no users were created outside of WordPress, and WordFence only started showing this notice a few days ago. WordFence has been active since launch last year.

    The dummy ‘admin’ account is just a subscriber level account (was never actually an admin).

    With each WordFence scan now, it keeps showing that alert though.

    Not sure what to assume?

    Plugin Support WFAdam

    (@wfadam)

    Just to be safe, I would ask your host if they see any admin accounts, outside of yours that can access FTP on your site. If not, then this could just be a false positive and you could “Ignore” that scan result.

    Let me know what you find!

    Thanks!

    Thread Starter Jonathon Harris

    (@demo38ltd)

    There are only 2 FTP accounts on the hosting, and they are both ours.

    Is there any way to confirm exactly what WordFence is seeing to determine why?

    Plugin Support WFAdam

    (@wfadam)

    I think it’s just seeing an account that was created, most likely before Wordfence was installed. So when it compares it to the data tables, it’s thinking that this was created recently.

    It’s safe to click “Ignore” for that scan result as you know for sure that no new FTP accounts were created. It’s just a false positive. Better to be safe in this case.

    Thanks again!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘“Admin” Created Outside of WordPress’ is closed to new replies.