Were they admins? If so that’s definitely suspect.
Often users that appear in this way are there for malicious intent.
Good thing you changed your wp-admin password, but I would recommend that you change your database passwords as well since new admin users can easily be created manually through that.
Make sure your wp-admin password is long & strong.
Check your site for malware here:
http://sitecheck.sucuri.net/
It doesn’t find everything but it’s a really useful tool.
Update your plugins. Update your theme. Update WordPress. Update all the things!!!
🙂
Thread Starter
Alusza
(@alusza)
Hi. Thanks very much.
Can’t tell if they were admins because “Role” was blank as were all other fields. It was, in essence, an empty user. No user name, email, role, posts. Just a row with no values in it.
Securi says it’s clean. Thanks for that!
WP, themes, and plugins up to date. I’ll change the db password right now.
My pleasure 🙂
Hmm, well that’s definitely weird, but by the sounds of it you’re probably ok and caught this before anything nasty was done to your site.
If you notice any other weird behaviour update this thread or ping me and I can take a look.
Cheers
Thread Starter
Alusza
(@alusza)
Thanks. I appreciate the offer. Happened again in a different installation. 1 blank user (user: blank, email: blank, role: “none”, posts: blank). I deleted the user. Changed wp pwd, changed db pwd. Commonalities are: me logging in as admin, ithemes security, updraft plus plugin, wordpress 4. Blog comments were allowed in both though moderation was tight. I turned off “allow comments”.
Scanned my system with malwarebytes and windows defender. Clean. Not sure what to do. Hoping it is some anomaly. Contacted UpdraftPlus dev’r because that plugin was recently installed on both installations. Dev’r says it’s not his plugin (I do believe that). Not sure about iThemes Security. See no chatter about this as an issue with the plugin.
Using sftp for both sites. Not using secure wp login over https though.
Weirdness.
Thread Starter
Alusza
(@alusza)
Oh no! I just logged into a 3rd site and it has 3 blank users. Something is happening for sure. Heeeeelp! 😉 I may have to pay for securing these installations.
Thread Starter
Alusza
(@alusza)
I guess I’ll just have to keep a close watch. Sites seem okay since turning off “allow comments”.
Hey sorry for the delay I lost track of this post.
Is your website on shared hosting? Are there other sites around it that have write access to the directory in which your site resides?
Thread Starter
Alusza
(@alusza)
No worries. One of the sites is on a dedicated server and the others are on shared. I don’t have any others sites around it with write access to root directory.
Since disabling registration/commenting ability on the affected installations (6 or so days ago), there have been no “blank” new users. Everything seems okay at the moment. Registration/commenting was on in each installation. Prior to turning it off, I’d delete a blank user and a new one would show up an hour or two later.
This must be some kind of bot creating the user. I don’t even receive notification that a new user has registered. I have iThemes Security set up pretty restrictively: no admin user, no default admin userID, database tables are unique not default, locking down the backend between midnight and 6:00 a.m. SQL injection is thwarted by iThemes. All themes/plugins and WP up to date.
I have external backups so I’m trying not to worry about it. Thanks for checking back.
Try setting up this plugin:
https://ww.wp.xz.cn/plugins/sucuri-scanner/
Really good auditing features – might provide some more visibility here.
I would think you are correct, it is likely a bot creating the new users.
If your website doesn’t require new users to be created then I’d recommend just deactiving new user regisration altogether.
Thread Starter
Alusza
(@alusza)
Thanks! I’ll see what the securi scanner tells me.
3 of the sites don’t need new user registration so all off there. The other will have users (just subscribers) that I create but no new user reg for the public.
It’s a shame. In most every respect I love WordPress as a web CMS. In this respect, it can be frustrating (having to turn off commenting). Bunch of delinquents ruining it for others 😉
Thank again.
Thread Starter
Alusza
(@alusza)
Thanks Tara. I have gone through the WP hardening info. Seems I’m covered quite well. Shared hosting could be a problem though.
Moderator
t-p
(@t-p)
there are also some good suggestions in this codex: http://codex.ww.wp.xz.cn/Brute_Force_Attacks
