Hi @badream, thanks for reaching out.
I have seen a few cases of these specific usernames being created before, but there was more than one cause for the initial issue so I’d understand a bit more if I could get a diagnostic report from your site.
You can send it from the Wordfence > Tools > Diagnostics screen to wftest @ wordfence . com. Click on the “Send Report by Email” button at the top. Please add your forum username where indicated and respond here after you have sent it.
NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email
Thanks,
Peter.
Thank you Peter, report sent!
Hi @badream, thanks for sending that over.
The cached files reporting back as modified files could be false-positives, but it’s hard to ignore that there’s clearly been an issue with users being created and I can see mention of tmp/wp-login.php, which may have been placed there to circumvent the real login page.
An alternative attack vector could be involved in order to create these users. For this reason, we recommend updating the passwords for your hosting control panel, FTP, WordPress admin users, and database no matter where you think the threat may have come from. Make sure to delete the users that’ve been created outside of WordPress, and other suspicious-looking users with administrative access if you find any.
Our site cleaning instructions may have some steps that will help you out: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
We always recommend using complex unique passwords along with 2FA for your administrative accounts, and when you find suspicious files or aren’t sure what to do with any Wordfence has found, you can send them to samples @ wordfence . com. For security reasons, just remember to remove any passwords or keys/salts from any files you do send us.
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.
Thanks,
Peter.
