Support » Plugin: Wordfence Security - Firewall & Malware Scan » Since I am using Wordfence I get suddenly new administrator users in my sites

  • Resolved ebakker66

    (@ebakker66)


    Hello All,

    Since I am using the free version of Wordfence I suddenly get new users with administrator rights in my wordpress websites.
    Is this a marketing trick from Wordfence to make me buy the paid version? Has any body similar problems after installing the free version of Wordfence?

    I now get the following messages in my email box.

    A user with username “wp.service.controller.h27Ax” who has administrator access signed in to your WordPress site.
    User IP: 81.177.165.140
    User hostname: 81.177.165.140
    User location: Moscow, Russia

    And when I loggin I really see this “wp.service.controller.h27Ax” – user in the section users. I deleted immediately this user. But new users are being made again.
    Is Wordfence helping me when I buy the paid version of Wordfence?

    Thanks for any reaction.
    I really hate these things.

    Best regards,

    ebakker66

Viewing 7 replies - 1 through 7 (of 7 total)
  • SVTX

    (@svtx)

    Is this a marketing trick from Wordfence to make me buy the paid version?

    NO

    bluebearmedia

    (@bluebearmedia)

    Is this a marketing trick from Wordfence to make me buy the paid version?

    Absolutely not. Wordfence does NOT create new admin users.

    Your site clearly has been compromised, possibly at the server/hosting level if Wordfence isn’t detecting anything at the site level.

    These two articles may give you more information:

    https://www.wordfence.com/learn/has-my-site-been-hacked/

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Thread Starter ebakker66

    (@ebakker66)

    Hello All,

    I regret that I wrote that I doubted about the sincerity of Wordfence. After many hours of research I found out that it has nothing to do with Wordfence. My site was clearly already been compromised before I installed Wordfence.

    So, again, sorry for that.

    Best regards,

    ebakker66

    Plugin Support wfphil

    (@wfphil)

    Hi,

    Apologies for the delay in replying as we have two support team members that are no longer working for Wordfence.

    Please follow this guide here:

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Plugin Support wfphil

    (@wfphil)

    Hi,

    Since I haven’t heard back from you I am assuming that the instructions solved your issue so I am marking this topic as resolved.

    If however, for whatever reason, you are still experiencing this issue and it is not resolved please respond to the post, which moves it back up the queue, and mark this topic as “not resolved”.

    Thank you.

    Thread Starter ebakker66

    (@ebakker66)

    Hello Phil,

    Thank you for your email. I did not read your article, I figured out myself to kill this virus.

    I was in the same endless loop with wordfence trying to delete infected files with @include “\x2fh\x6fm\x651 etc.

    I found the file who was creating these @include “\x2fh\x6fm\x651 etc. infections all the time.

    This is what I did:
    1) I Downloaded the whole WordPress site to my local computer
    2) Then I searched for php files with the text ‘rawurldecode’ using Notepad++
    3) When I found files with weird file names such as: zvqbjhrl.php
    And they also contains very strange code, such as:
    function jdszmp($vtwintjvkr, $vnuonc){global $vtwmb;$vtwmb = $vtwintjvkr;$vnuonc = str_split(rawurldecode(str_rot13($vnuonc)));function jzibdoj($zyeiayf, $vtwintjvkr)
    4) Then deleted all of those files.

    And now everything is OK

    Thanks again for your proactive reply.

    You can close this ticket.

    Erwin

    Plugin Support wfphil

    (@wfphil)

    Hi,

    I am glad to hear everything is okay now.

    Thanks.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Since I am using Wordfence I get suddenly new administrator users in my sites’ is closed to new replies.