Hi @hidden021,
I don’t see any diagnostics associated with your forum username in our inbox, although if your site has already been compromized then the REST API or other WordPress functions may not be working as intended.
We always recommend that you make a full backup of your site before making any changes suggested below.
Wordfence is an endpoint firewall that runs after PHP loads, so an external area of attack could have been used. Databases, hosting control panels, and FTP can all be accessed without loading the site with Wordfence protection. Try to protect all admin accounts (including those for WordPress) with long complex passwords and 2FA wherever it’s available.
We advise you to update your passwords for your hosting control panel, FTP, existing WordPress admin users, and database if somebody has gained access to modify any files. Make sure to do this.
Over half of all login attempts that are made on WordPress sites are made via xmlrpc.php. Wordfence offers the option to block XML-RPC or at least require 2FA with authentication requests using XML-RPC on the Login Security > Settings page. You can also block it entirely using .htaccess so long as you don’t use the WordPress app or the JetPack plugin, which require access to it.
I will provide our site cleaning instructions for you below, which may be useful to check even if you don’t suspect WordPress itself to have been the source of the new user:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful. We provide a site cleaning service should you need further assistance, as do other companies.
Many thanks,
Peter.
