User with admin privileges keeps signin in on to my websites

  • eduardobartelle

    (@eduardobartelle)


    1 year ago

    Hi, i have a lot of sites with wordfence and a user keeps signin in with the name wp_update-xxxxxxx and admin privileges ( the X are numbers that vary).

    i have deleted it but it keeps coming back, when i scan with wordfence it doesnt return anything…

    The page I need help with: [log in to see the link]

Viewing 5 replies - 46 through 50 (of 50 total)
  • harmvarwijk

    (@harmvarwijk)

    I have been experiencing issues on over 30 WordPress websites since January. Malicious users with admin rights and code is being added to widgets, and as I am not a technician or specialist, this situation is very distressing for me.

    I can only remove the malicious code myself, and when I report suspicious files to my hosting provider, they do remove them. However, when I requested a scan, they admitted their scan was not perfect. This ongoing problem is becoming unbearable for me.

    I do have White Glove Service/fully managed support on my account, which saves me a lot of time. Can someone help me articulate to my server manager what needs to be done to address this issue comprehensively? I feel that submitting small, individual requests is not resolving the entire problem.

    I would appreciate any assistance. Thank you.

    English is not my main, I use ChatGPT to get the message out there.

    Hi all,

    I’ve been struggling with this same issue on 20 sites (within the same hosting space)?for weeks, but am confident I’ve now fixed the issue for the long term.?I’ve followed?neolegen’s advice and haven’t had an attack since.?

    This is what I did on all the affected websites (in this order):

    1) Took a backup of the site using the free Updraft plugin
    2) Updated all out-of-date plugins and themes
    3) Removed any ‘malicious’ admin users?via MySQL
    4) Installed the Wordfence plugin (free version)
    5) Ran a Wordfence?scan of the site
    6) Completely Replaced the wp-includes folder with a fresh version (via SFTP), as that was very often the most affected
    7) Cleaned / replaced all other files flagged in the Wordfence scan
    8) Ran a follow up Wordfence?scan to check the site was now clean (repeated step 6 if not)
    9) Changed the site’s Database password via MySQL
    10) Changed the site’s WP-Config.php file in line with the above password change and changed the ‘salt’ secret key
    11) Changed all of the site’s Administrator passwords

    Once done across all of my sites I then completed the process with the following actions:

    12) Changed my SFTP password
    13) Changed my Hosting account’s Password

    I did this as quickly as possible across one day, to ensure there were no repeat attacks during the process and have repeatedly checked for new Malicious users being added since (none so far!)

    Good luck all. It takes a while, but it’s well worth it in the end.

    ….sorry, one more thing.

    I also noticed that malicious code had been added via the ‘Widgets’ section of my sites, so I checked / removed that between steps 3 and 4.

    I found that one of my admin users had an application password set up by the malware. I think this might be the attack vector.

    Go to the user’s menu on WP and go to edit mode of each administrator user. Check if an application password is set. If it is, delete it.

    I couldn’t delete mine through the WP dashboard, I had to do it directly from the database. Maybe you’ll face a similar problem.

    Hope this helps

    FOR ANYONE STRUGGLING WITH THIS:

    Check if this fits your use case:
    https://www.reddit.com/r/Wordpress/comments/1feypel/new_malware_found_in_wordpress_installations/

Viewing 5 replies - 46 through 50 (of 50 total)
  • You must be logged in to reply to this topic.

Tags