How are users added to my team?

  • Unknown's avatar
    quackerback · Member ·

    I just discovered that I have a bunch of users on my ‘team’. Many of them start with ‘test’ followed by a bunch of numbers. Others are random letters. None are addresses I recognize. I have not invited anyone to be on my team so I deleted all of them. I’d like to find out how they appeared in this list on my team as they all look like hacking attempts.

    WP.com: Unknown
    Jetpack: Yes
    Correct account: Yes

    The blog I need help with is: (visible only to logged in users)

  • kokkieh · Staff ·

    Hi there,

    Your site is not hosted on WordPress.com, but using the open source WordPress.org software at another host. You have it connected to your WordPress.com account using the Jetpack plugin.

    The open source version of WordPress you’re using has a setting to allow guest registrations (on WordPress.com this option is disabled by default, and only available on our Business and eCommerce plans), which essentially allows anyone to register an account on your site. This is what allows you to create an account on an online store, a forum, or any other site where you can have a user profile or member account to sign into the site without having access to the dashboard.

    There are bots that constantly check sites on the web to see if this setting is enabled, and if they find a site with this enabled, they create accounts on the site using random emails their creators bought on the dark web or harvested somewhere else. I’m not clear on exactly what their goal is with this – by default that setting only lets people register in the Subscriber role that doesn’t have any dashboard access, but I’m guessing if they register enough accounts on a site it can blow up the database or cause timeouts, or something like that.

    Removing those users were definitely the right thing to do. Also make sure you disable this setting if it’s not required on your site. You’ll find this under Settings ->General in the WP-Admin dashboard.

    That should take care of the problem – I see you have Jetpack’s security features enabled, and you’ll have some security features via your hosting at Bluehost as well, so your site should be reasonably safe against the typical hacker. However, you can always look at the tips below for further improving the security of your site if you want, and you can also ask the WordPress.org community who makes the WordPress software for more advice on this:

    https://wordpress.org/support/article/hardening-wordpress/

    https://wordpress.org/support/forums/

  • The topic ‘How are users added to my team?’ is closed to new replies.