Illicit admin user appeared
-
Hi!
I use BrandExponents theme Oshine. In a recent support errand, I sent them an invitation to become a user, and then upgraded to admin, so get the proper support. Then a new user appeared:
‘New user registration on your site Genusfotografen.
Username: wpadminas
Email: sara1024 (a) tutanota.com
This is NOT someone BrandExponents are associated with, they told me. I deleted the user, reset my password for the site and pressed the putton for logging out elsewhere. Anything more I need to do to prevent this illicit user to acess my blog further? Any idea how this happened? It must be someone who has acess to BrandExponents support-mail without them knowing it, right? Or is there other ways the new user-login I created could have leaked? Any other steps I need to take?
Best regards, Tomas
-
Hi Tomas,
As what user role did the new user get created? If it was as a Subscriber, it’s a guest-registration. You can disable guest registrations under Settings ->General in the dashboard, but keep in mind that some plugins, like ecommerce and membership plugins, rely on guest registrations to work.
Someone who registers as a guest on your site doesn’t actually have any access to the dashboard, so it’s not necessarily a security issue. But if you don’t use that feature on your site, it’s a good idea to disable it anyway.
Otherwise…
The only way someone could become an admin on your site is if they were added by another admin. That, or your site/hosting account has been compromised, allowing malware to inject a new user account directly into the site database.
Besides updating your own admin user password, I’d also force an update of the user account you created for BrandExponents, if that user account is still active. To be on the safe side, I’d also recommend updating your password for your hosting account. It might also be a good idea to review all themes and plugins installed on your site, make sure everything is updated to the newest version, and remove anything you don’t use any more or that you don’t recognise.
For more advice, please ask the WordPress.org community in their forums at https://wordpress.org/support/forums/. They make the version of WordPress you’re using, and have more experience in this type of issue – on WordPress.com, where you’re posting now, user management on a site works differently, so what’s true on WordPress.com isn’t necessarily true for you site.
It must be someone who has acess to BrandExponents support-mail without them knowing it, right? Or is there other ways the new user-login I created could have leaked?
If you shared the credentials via email this is very possible. But that’s why most services, when they need credentials for a site, would ask you to use something like onetimesecret.com or similar to share it, as that prevents the credentials falling into the wrong hands.
If you ever need to share credentials for you site again, I recommend you use a service like that, whether or not the support team you’re working with asked you to do that. It just adds that extra layer of security :)
-
Hi Kokkieh!
Thank you so much for your reply! It was an Admin that was created; after I created a user for BrandExponents and changed role to admin for that login. I’ve gotten help from my webhosting supplier, and they found 672 infected files in my homepage. So their Abuse department did a scan and clean up and gave me further instructions for how to tighten security in the future. I quickly deleted the user and changed passwords. I’ll follow your advice to look through all plugins and themes, also. Thanks for clarifying which version of wordpress I use, also – I’ll turn to WordPress.org next time.
And brilliant tip about onetimesecret.com – will definitely use that when needed!
Many thanks again,
Tomas
- The topic ‘Illicit admin user appeared’ is closed to new replies.
WordPress.com Forums 