Hey,
Can you see that user recently registered in your WordPress dashboard user list?
WP dashboard> Users> All Users
also, can you confirm if the email that was sent to you about the new user, was sent from your site’s mail address?
Hi,
I deleted the user already.
The notification was indeed sent from our website.
That’s definitely not normal, but if you have a managed WordPress hosting provider, it could be from them, so I recommend checking with them first.
If it’s not from them, carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.
I found the problem, Litespeed Cache plugin wasn’t updated and new admin accounts was made from this exploit.
Please inform all people to update Litespeed Cache plugin.
I hope we can find out where this is coming from.
Thank you TavyDesign!
Any steps we need to take? I had a scan done for malware on the server.
What are your recommendations besides updating the plugin and deleting the user?
@hopsakee I did the same thing, and no suspect file… is very wired because the only thing was to create admin account. I suspect database, maybe they set something there…
Next you can try to delete all plugins and reinstall it from WordPress, and if you have a backup older than February, replace theme files and delete unused themes/plugins.
If your WordPress is up to date, reinstall it (you can delete wp-includes and wp-admin directory , download WordPress zip same version and upload this folders manually in FTP to be sure this folders doesn’t contain another PHP files.
Also check root of site for files not related to WordPress and replace it with files form official zip.
Block execution of PHP files in uploads.
I did not find any suspect files until now, only files and plugin used to create new admin accounts.
