Hi @viclittledesigns, thanks for getting in touch.
I see that wp-login.php?action=register is disabled on your site, so it may also be appropriate to block XML-RPC if you haven’t already as this can be a source of registration and comment spam. You can add the following to your .htaccess file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
I am concerned though that it’s admin level users that have been added. I would suggest immediately deleting any users (especially admin users) that you don’t recognize from WordPress > Users > All Users. You may also need to check that your site hasn’t been compromized.
We are unable to provide step-by-step assistance through a site cleaning here on the forums but we do have helpful resources that can assist you. You should try the following checklist:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Make sure all of your plugins and themes are up-to-date and that WordPress core is on the latest suitable version. As a rule, any time someone thinks their site has been compromized, they should update their passwords for hosting control panel, FTP, WordPress admin users, and database in order to cover the key access points where somebody could change or upload things on your site. Make sure to do this!
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.
Before attempting a site cleaning, we always recommend that you make a full backup of the site beforehand.
Thanks,
Peter.
