Support » Plugin: Wordfence Security - Firewall & Malware Scan » Admin user created outside of WordPress??

  • Resolved BlueSteam

    (@bluesteam)


    Hello,

    I created an admin user manually through the WordPress interface and ever since then, I keep getting a daily email from WordPress stating the following:

    I have removed the admin user for obvious reasons.

    This email was sent from Wordfence Central for your site “https://alettewinckler.com”.
    Wordfence found 1 new issue on “https://alettewinckler.com”
    Alert generated at December 8, 2020 6:51am UTC
    See the details of these scan results on Wordfence Central: https://www.wordfence.com/central/findings/551bf928-084d-4ac0-bdaa-2538ac3dedae
    Findings

    High Severity Problems:

    An admin user with the username ######## was created outside of WordPress.

    View your findings here: https://www.wordfence.com/central/findings/551bf928-084d-4ac0-bdaa-2538ac3dedae

    I then check the issue and it shows the following:

    Details: An admin user with the username ######## was created outside of WordPress. It’s possible a plugin could have created the account, but if you do not recognize the user, we suggest you remove it.

    So I “MARK AS FIXED” because I KNOW the username but it STILL just keeps coming and I cannot figure out why I keep getting this notice.

    Please can someone explain and assist why this is happening?

    • This topic was modified 1 year, 8 months ago by BlueSteam.
    • This topic was modified 1 year, 8 months ago by BlueSteam.

    The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @bluesteam, if there are definitely no other legitimate people with access to your site creating administrator accounts, it looks to me like your site has been compromised and there is a way for these users to keep being recreated.

    It sounds like you may need to clean the site or at least follow the checklist here:
    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
    Make sure and get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here:
    https://wordpress.org/download/releases/
    WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this!

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

    If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    Thanks,

    Peter.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @bluesteam, thanks for getting in touch over this issue.

    If the user isn’t actually being recreated, and you don’t need to re-delete the user each time you receive this message, then it could be a caching plugin if you have one installed. Try flushing the cache for your site and see if this issue reoccurs.

    If the message still keeps coming back or caching does not apply to you, please send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    Note: For the fastest response time, please make sure and add any information or questions directly to this topic and not the email address above unless asked.

    Thanks,

    Peter.

    Thread Starter BlueSteam

    (@bluesteam)

    Hi 🙂

    ok, so we do use LiteSpeed Cache plugin because the server runs on Litespeed.

    I have manually cleared the cache now and will wait to see if it re-occurs.

    Thanks for the assistance and I will give feedback as soon as I have more info.

    Thanks

    +1 – also running with LightSpeed cache setup. All my admin accounts suddenly flagged on one web site but not on two others.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @bluesteam,

    I will leave this ticket open for now in case there is any feedback from the cache changes.

    @bcalles, as per the forum guidelines we can better help our customers if topics concentrate on the issues for a single user. Please start your own topic so that we can look into your case individually and we’ll be glad to help!

    Peter.

    Thread Starter BlueSteam

    (@bluesteam)

    Hello 🙂

    Sadly the problem still occurs.

    I did clear ALL Cache for LiteSpeed plugin so I really have no idea why this keeps happening.

    I have send a diagnostic report to the email requested.

    Thank you so much for all you guys do!

    • This reply was modified 1 year, 8 months ago by BlueSteam.
    Plugin Support wfpeter

    (@wfpeter)

    Hi @bluesteam,

    I have reviewed your site diagnostic and there are 183 rows in your users table. As you run a store and customers can register I am not particularly concerned by this number. Everything else looks like it’s running properly. If users are managed by a plugin such as Woocommerce, it could be possible for them to be assigned a user level considered an “admin”, but this seems unlikely also. I assume you created the original admin user yourself using the WordPress > Users section of your dashboard?

    Have you continued to receive this email daily since deleting the user, and has the user been recreated at all since we last spoke?

    Thanks again,

    Peter.

    Thread Starter BlueSteam

    (@bluesteam)

    Hello Peter

    Yes, we receive this notification daily.
    Yes the user was created using the admin dashboard as you stated.

    I highly and strongly doubt the site is compromised as there has been no suspicious activity at all other than this constant notice of the admin user being created outside of WordPress.

    This user in question was created by me originally as a different username and since receiving the notices, I did some tests and found that if I delete the user, the notice goes away. If I recreate the user and even recreate it with a different username, the notice reappears. The user is not being recreated daily but wordfence seems to think it is. So I followed the instructions that said that if I am aware if this user, I can ignore it so I click “MARK AS FIXED” but it keeps returning.

    So what now??

    • This reply was modified 1 year, 8 months ago by BlueSteam.
    Plugin Support wfpeter

    (@wfpeter)

    Hi @bluesteam,

    This is indeed quite a strange one due to the recurrent nature despite your best efforts to suppress it. I’ve been doing some digging and if this won’t be ignored or marked as fixed, you can deactivate Wordfence momentarily and re-activate it again after creating the admin user. The reactivation will learn the current set of admins and should stop flagging it.

    Important note before deactivating Wordfence:

    Ensure that “Delete Login Security tables and data on deactivation” in Wordfence > Login Security > Settings and “Delete Wordfence tables and data on deactivation” in Wordfence > Tools > Import/Export Options are NOT selected.

    Thanks for your patience,

    Peter.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Admin user created outside of WordPress??’ is closed to new replies.