Support » Plugin: Wordfence Security - Firewall & Malware Scan » non-existant user logged in…

  • Resolved BFred

    (@bfred)


    I received this from Wordfence, I don’t understand how this is possible:
    A non-admin user with username “admin” signed in to your WordPress site.
    User IP: 22.22.22.22
    User hostname: 22.22.22.22.isp.com
    User location: city, country

    The site has 4 admins, non of them are called admin. Admin user does not exist… and my head is going to explode 😉

    Thank you.

Viewing 11 replies - 1 through 11 (of 11 total)
  • WFGerroald

    (@wfgerald)

    Hey @bfred,

    If you navigate to Wordfence > Live Traffic do you see the successful login attempt? If so, can you please share a screenshot of the expanded details?

    Also, if you’re not currently using it I’d strongly recommend using Two-Factor. it’s one of the best defenses for your login page.

    Thanks,

    Gerroald

    BFred

    (@bfred)

    Hi!

    So I couldn’t find live traffic. Maybe it’s only on the paid version?

    I’m still attaching the successful login attempts where one inexistant user managed to log in.
    (link removed)

    My users list:
    (link removed)

    I also checked the DB and no such user in the users table.

    So I have a morning backup which I will restore, which is soon enough before the “attack”. You recommend to enable 2FA for everyone which I will do.

    Now how can I explain what happened?

    Thank you.

    Fred

    • This reply was modified 1 year ago by BFred.
    Webartisan

    (@webartisan)

    Hi Fred
    Please remove your link to the image 😉

    BFred

    (@bfred)

    ok but then how do I show the screenshot? Besides it is true I didn’t find live traffic…

    Thank you.

    Webartisan

    (@webartisan)

    You’ll find Live traffic under Tools.
    There is also an option ti show it as a standalone menu item.

    The screenshots of Live traffic (cropped only to the user Admin) are the only one interesting for the case.

    BFred

    (@bfred)

    Ok found it. What am I supposed to look at? pages/files accessed?

    Webartisan

    (@webartisan)

    I think that @wfgerald (from Wordfence) needs to see the Live traffic screenshot limited to the strange login with the details (ip address, user agent etc) of the *ghost* admin

    BFred

    (@bfred)

    OK. Actually there are quite a few sensitive information. Is there a way to PM @wfgerald from here?

    Thank you.

    WFGerroald

    (@wfgerald)

    Hey @bfred,

    You can email the screenshots to wftest@wordfence.com. Please include a link to this thread, your WordPress.org username and update this thread in case the email is missed.

    Thank you @webartisan for helping out here.

    Thanks,

    Gerroald

    WFGerroald

    (@wfgerald)

    Hey @bfred,

    We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

    Please feel free to open another thread if you’re still having issues with Wordfence.

    Thanks,

    Gerroald

    BFred

    (@bfred)

    Well I emailed you as requested and was waiting for your response. Didn’t you receive my email?
    Thank you.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘non-existant user logged in…’ is closed to new replies.