Hi @inneedofahelp,
If you don’t mind, please allow me to help.
Solution:
- If both users have the same IP, block the IP.
- Implement 2FA and reCAPTCHA for your website.
- Disable XML-RPC for your website. To verify XML-RPC is disabled, use this XML-RPC validation tool. If properly disabled, you will see this message. If not, you can disable XML-RPC using the methods described here.
- Check your website for malware. In addition to Wordfence, you can use the following online tools to check for malware: Sucuri Sitecheck and VirusTotal. If any malware detected, follow these Wordfence instructions and/or contact your host.
If satisfied with the above, kindly consider closing this topic as “Resolved.”
Cheers!
Note: I’m not affiliated with Wordfence. Simply offering goodwill support.
Hi @inneedofahelp,
I would certainly try the steps that Generosus mentions above. Naturally the new users seem to be regenerated after deletion, which could imply a script but also that somebody has admin access to your site inside or outside of WordPress.
Make sure your plugins and WordPress core are up-to-date in case any security patches have been released since the problem originated. As a rule, any time I think someone’s site has been compromized I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database in order to cover the key access points where somebody could change things on your site. Make sure to do this.
Additionally to the link provided above you might find the WordPress Malware Removal section in our free Learning Center helpful too.
Let us know how you get on!
Peter.
Hello,
Thanks for the help,
I already cleaned up the site with Wordfence, and with High Sensitivity scan wordfence show no edited files or viruses, yet those accounts keep appearing from time to time.
Hey @inneedofahelp,
Final recommendation: Implement ALL of the suggestions provided above and your issue will be fixed.
Cheers!
Hello @generosus ,
I did implement all your recommendations and, now waiting to see if they will reappear again.
Thanks for help,
Hey @inneedofahelp.
That’s great!
Please let us know if that helped. If not then, regrettably, you may have malware that will need to be removed using more-sophisticated methods.
If that’s necessary, then your host should be able to help you remove it. Our host (SiteGround), for example, was kind enough to remove malware from our website as a one-time courtesy. They also provided the detailed procedure for removing malware shall that happen again.
Last, if you share your website’s URL, I can perform a special malware check for you.
Cheers! 🙂
