Unauthorised user and site created

Hi patbell101,
I think you have WordPress Network enabled (Multisite), if so then on the main network dashboard page please check (Settings > Network Settings => Registration Settings), maybe you are choosing “Both sites and user accounts can be registered.” there?

Thanks.

Good call. Though I am concerned how they logged in since I didn’t get my usual notification of an admin login and I have a very strong password. Ideally I’d like to allow dashboard login ONLY from my own fixed IP with perhap 2 factor login or an extra url parameter. Is that possible in Wordfence?

No need to log in a website with the configuration I mentioned in my previous reply, anyone can go to example.com/wp-signup.php to create a new site/user registration and this new user role will be an admin only on this newly created website, not the whole Network. (admin user on the whole Network is called Super Admin in WordPress multisite installation).

In Wordfence premium version “Two-factor authentication” is supported, knowing that we aren’t allowed to discuss/support premium features of the plugin here in the forums, for any further question you can always contact Presales team.

P.S. You can make use of these two options “Whitelisted IP addresses that bypass all rules” and “Immediately block IP’s that access these URLs” to allow login from your IP only.

Thanks.