Hi!
After two months, I finally was able to stop it from appearing. It wasn’t an easy task, but i realized that my website was hacked through an abandoned?plugin in some way.
First of all, I installed the plugin Wordfence to scan all the suspicious files and malware, then I fixed the files that i was able to understand (did a backup first) and, finally, with the help of a backed developer, I was able to erase malicious functions on the code of various files through an SSH sesion on the website server.
Most of the infected files that allowed them to create the user were on themes, upload elements and random stuff i didn’t recognize.
I suggest you start by installing Wordfence and running a scan so you know where the error may be and make sure you don’t have inactive plugins or themes that may damage your code.I know this solution may be hard to implement for some people, but that was what it worked for me.
Good luck to everyone!
