Title: Site registration exploit, creating new admin users using admin-ajax.php
Last modified: November 9, 2018

---

# Site registration exploit, creating new admin users using admin-ajax.php

 *  Resolved [polymashsupport](https://wordpress.org/support/users/polymashsupport/)
 * (@polymashsupport)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/site-registration-exploit-creating-new-admin-users-using-admin-ajax-php/)
 * Has anyone experienced this?
 * Suddenly there is a new admin user on your site, and they logged in.
 * But I received NO alerts from Wordfence, this exploit bypassed all Wordfence 
   protections.
 * I detected that someone has been able to simply create a new admin level user
   ID on one of our sites using admin-ajax.php. The Wordfence logs indicate no suspicious
   activity before this, and the only entry I can see on the firewall looks like
   this:
 * Please see the attached screenshot:
 * [https://www.screencast.com/t/RQIcOienoaC](https://www.screencast.com/t/RQIcOienoaC)
 * Wordfence did not detect or alert me to this.
 * What can I do to prevent such attacks? Blocking the IP range is pointless, since
   they are obviously using IP spoofing.
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fsite-registration-exploit-creating-new-admin-users-using-admin-ajax-php%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 4 replies - 1 through 4 (of 4 total)

 *  Plugin Support [wfscott](https://wordpress.org/support/users/wfscott/)
 * (@wfscott)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/site-registration-exploit-creating-new-admin-users-using-admin-ajax-php/#post-10492049)
 * Hello [@polymashsupport](https://wordpress.org/support/users/polymashsupport/),
 * Could you please send over diagnostics via (Wordfence > Tools > Diagnostics >
   Send report by email) to scottm [at] wordfence [dot] com
 * Please include your forum username in that second field when you send that over.
 * We will be happy to take a look for you.
 * -Scott
 *  Thread Starter [polymashsupport](https://wordpress.org/support/users/polymashsupport/)
 * (@polymashsupport)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/site-registration-exploit-creating-new-admin-users-using-admin-ajax-php/#post-10492120)
 * Thank you! (the diagnostic report was sent)
 *  Plugin Support [wfscott](https://wordpress.org/support/users/wfscott/)
 * (@wfscott)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/site-registration-exploit-creating-new-admin-users-using-admin-ajax-php/#post-10497856)
 * Hello [@polymashsupport](https://wordpress.org/support/users/polymashsupport/),
 * I see that you have multiple plugins for custom functionality related to user
   accounts and login. It is possible that one of those plugins has a vulnerability.
   Unfortunately we can’t do a full code review of all your plugins which is what
   would be required to fully determine the point of entry. I would recommend that
   you reach out to the authors of those plugins and inquire about this issue. They
   may have gotten similar reports from other users and may have some more information.
 * -Scott
 *  Plugin Support [wfscott](https://wordpress.org/support/users/wfscott/)
 * (@wfscott)
 * [7 years, 9 months ago](https://wordpress.org/support/topic/site-registration-exploit-creating-new-admin-users-using-admin-ajax-php/#post-10679116)
 * Polymashsupport,
 * I hope you have not had any repeat issues with regard to this. For the time being,
   we haven’t seen a correlation with regard to any specific plugin or theme and
   this issue. We would advise if this were to occur again to have someone take 
   a look at your specific case (server setup, plugins, logs, etc.) and try to find
   a point of entry.
 * Please feel free to reach out to us if you notice any other issues or have any
   questions.
 * All the best,
 * Scott

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Site registration exploit, creating new admin users using admin-ajax.
php’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

## Tags

 * [admin](https://wordpress.org/support/topic-tag/admin/)
 * [exploit](https://wordpress.org/support/topic-tag/exploit/)
 * [Registration](https://wordpress.org/support/topic-tag/registration/)

 * 4 replies
 * 2 participants
 * Last reply from: [wfscott](https://wordpress.org/support/users/wfscott/)
 * Last activity: [7 years, 9 months ago](https://wordpress.org/support/topic/site-registration-exploit-creating-new-admin-users-using-admin-ajax-php/#post-10679116)
 * Status: resolved