Anyone can register + Standard Admin Role activated

Yesterday at 23:08 I received an email from my wordpress “Admin Email Changed”: “[…]The new admin email address is [email protected].[…]”

Right after that, a new user registered, cryptic username “wpnew_kmyjzvfyoflv” This username had admin role!

Today in the morning when I realized, I checked, in the settings was “Anyone can register” checked and standard userrole is Administrator. I fixed it and went ahead to the Apache Access logs. There I saw that before yesterday 23:08, all requests to “wp-login.php?action=register” were redirected to “registration=disabled”. Through this hint I think I can be sure that this setting was correct until the next two minutes. Log that shows such a redirect:

[IPADDR] – – [29/Mar/2023:23:06:16 +0200] “GET /wp-login.php?registration=disabled HTTP/1.1” 200 3971 “https://[domainname]/wp-login.php?action=register” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36”

From the access log I can only see that there were some admin-ajax post requests from the suspicious IP-Address at the time of the changes: POST /wp-admin/admin-ajax.php?action=elementor_ajax&_nonce=4c7b406e82

After these post requests, the new user registred. I did not receive a “new user login” because the Administrator email was changed to “[email protected]”


How can I dig deeper into what caused this? I think Apache access logs do not store the post request data, sadly. Does anyone have an idea for me to expand my search?
Please feel free to request more data if it would help to give some hints.

I conducted the “FAQ My site was hacked” page and already begun to take measurements. However, I am not sure if I should load a backup from yesterday before 23:00.