blank wordpress user entry – hack attempt?

  • Hello.

    I logged in to my WordPress installation and saw two blank user entries in Users. Just the grey row with checkbox to left but no entry in Name, Email, Role or Posts fields. I deleted them.

    An hour later, I login and there is a new blank entry. I deleted it. Changed my WordPress password (I’m the only admin user). Also changed login url again with iThemesSecurity.

    iThemes Security reported a bunch of 404s so I blacklisted the IP. Looked like some bot scanning for plugins that don’t exist.

    Does anyone have any ideas what could be happening? Worries me.

    Thanks.

Viewing 13 replies - 1 through 13 (of 13 total)

  • Were they admins? If so that’s definitely suspect.

    Often users that appear in this way are there for malicious intent.

    Good thing you changed your wp-admin password, but I would recommend that you change your database passwords as well since new admin users can easily be created manually through that.

    Make sure your wp-admin password is long & strong.

    Check your site for malware here:
    https://sitecheck.sucuri.net/

    It doesn’t find everything but it’s a really useful tool.

    Update your plugins. Update your theme. Update WordPress. Update all the things!!!

    ??

    Thread Starter Alusza

    (@alusza)

    Hi. Thanks very much.

    Can’t tell if they were admins because “Role” was blank as were all other fields. It was, in essence, an empty user. No user name, email, role, posts. Just a row with no values in it.

    Securi says it’s clean. Thanks for that!

    WP, themes, and plugins up to date. I’ll change the db password right now.

    My pleasure ??

    Hmm, well that’s definitely weird, but by the sounds of it you’re probably ok and caught this before anything nasty was done to your site.

    If you notice any other weird behaviour update this thread or ping me and I can take a look.

    Cheers

    Thread Starter Alusza

    (@alusza)

    Thanks. I appreciate the offer. Happened again in a different installation. 1 blank user (user: blank, email: blank, role: “none”, posts: blank). I deleted the user. Changed wp pwd, changed db pwd. Commonalities are: me logging in as admin, ithemes security, updraft plus plugin, wordpress 4. Blog comments were allowed in both though moderation was tight. I turned off “allow comments”.

    Scanned my system with malwarebytes and windows defender. Clean. Not sure what to do. Hoping it is some anomaly. Contacted UpdraftPlus dev’r because that plugin was recently installed on both installations. Dev’r says it’s not his plugin (I do believe that). Not sure about iThemes Security. See no chatter about this as an issue with the plugin.

    Using sftp for both sites. Not using secure wp login over https though.

    Weirdness.

    Thread Starter Alusza

    (@alusza)

    Oh no! I just logged into a 3rd site and it has 3 blank users. Something is happening for sure. Heeeeelp! ?? I may have to pay for securing these installations.

    Thread Starter Alusza

    (@alusza)

    I guess I’ll just have to keep a close watch. Sites seem okay since turning off “allow comments”.

    Hey sorry for the delay I lost track of this post.

    Is your website on shared hosting? Are there other sites around it that have write access to the directory in which your site resides?

    Thread Starter Alusza

    (@alusza)

    No worries. One of the sites is on a dedicated server and the others are on shared. I don’t have any others sites around it with write access to root directory.

    Since disabling registration/commenting ability on the affected installations (6 or so days ago), there have been no “blank” new users. Everything seems okay at the moment. Registration/commenting was on in each installation. Prior to turning it off, I’d delete a blank user and a new one would show up an hour or two later.

    This must be some kind of bot creating the user. I don’t even receive notification that a new user has registered. I have iThemes Security set up pretty restrictively: no admin user, no default admin userID, database tables are unique not default, locking down the backend between midnight and 6:00 a.m. SQL injection is thwarted by iThemes. All themes/plugins and WP up to date.

    I have external backups so I’m trying not to worry about it. Thanks for checking back.

    Try setting up this plugin:

    https://www.ads-software.com/plugins/sucuri-scanner/

    Really good auditing features – might provide some more visibility here.

    I would think you are correct, it is likely a bot creating the new users.

    If your website doesn’t require new users to be created then I’d recommend just deactiving new user regisration altogether.

    Thread Starter Alusza

    (@alusza)

    Thanks! I’ll see what the securi scanner tells me.

    3 of the sites don’t need new user registration so all off there. The other will have users (just subscribers) that I create but no new user reg for the public.

    It’s a shame. In most every respect I love WordPress as a web CMS. In this respect, it can be frustrating (having to turn off commenting). Bunch of delinquents ruining it for others ??

    Thank again.

    Moderator t-p

    (@t-p)

    Useful info:

    https://codex.www.ads-software.com/FAQ_My_site_was_hacked

    https://codex.www.ads-software.com/Hardening_WordPress

    Thread Starter Alusza

    (@alusza)

    Thanks Tara. I have gone through the WP hardening info. Seems I’m covered quite well. Shared hosting could be a problem though.

    Moderator t-p

    (@t-p)

    there are also some good suggestions in this codex: https://codex.www.ads-software.com/Brute_Force_Attacks

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘blank wordpress user entry – hack attempt?’ is closed to new replies.