“Admin” Created Outside of WordPress

Hello @demo38ltd and thanks for reaching out to us!

I sometimes see this on some hosts when they are checking into your site for information. If you are using the Immediately block the IP of users who try to sign in as these usernames feature with admin, this will only work if the username admin does NOT exist on the site user base.

Reach out to your host to see if they would be creating these admin accounts to check content on your site.

Let me know what you find!

Thanks!

Hello, thanks for the quick reply – I checked with the web host, and they said they don’t access the database unless requested through support ticket.

Still, the only ‘admin’ named account I see in the database is the dummy account (subscriber level) that I set up inside WordPress.

Any thoughts? I don’t want to ignore it if there’s an issue – I’m just not seeing anything of a cause, so want to make sure it’s a false positive.

The “admin created outside of WordPress” warning happens when Wordfence doesn’t have a record of the admin having been created. So this will happen either if the admin was created directly via the database as opposed to inside of the WordPress administrative interface or it can happen if Wordfence is deactivated while the admin is created.

If you want to avoid it you’d have to create the WordPress user inside of WordPress and while Wordfence is activated. If you know that you’ve created the admin it’s perfectly safe to ignore the warning though.

Did you happen to create the dummy admin account during a time when Wordfence was not installed or disabled?

Thanks again!

Thanks for the follow up – that’s the odd thing, no users were created outside of WordPress, and WordFence only started showing this notice a few days ago. WordFence has been active since launch last year.

The dummy ‘admin’ account is just a subscriber level account (was never actually an admin).

With each WordFence scan now, it keeps showing that alert though.

Not sure what to assume?

Just to be safe, I would ask your host if they see any admin accounts, outside of yours that can access FTP on your site. If not, then this could just be a false positive and you could “Ignore” that scan result.

Let me know what you find!

Thanks!

There are only 2 FTP accounts on the hosting, and they are both ours.

Is there any way to confirm exactly what WordFence is seeing to determine why?

I think it’s just seeing an account that was created, most likely before Wordfence was installed. So when it compares it to the data tables, it’s thinking that this was created recently.

It’s safe to click “Ignore” for that scan result as you know for sure that no new FTP accounts were created. It’s just a false positive. Better to be safe in this case.

Thanks again!