Hi @slhatton
I’m investigating a very similar issue on another website – a admin user called ‘zdemon’ appeared along with some code added to wp-load.php.
The site didn’t have Wordfence installed.
I’d be interested to know, did you have WooCommerce installed? Are you using the web hosts Tsohost? This is an odd question but does your domain start with the letter ‘S’? I’m trying to figure out how and when this happened, and if the vulnerability was in site code, or a server security breach.
Best wishes and thanks for any help!
Josh
