3 mos late: An admin user with the username *** created outside of WordPress

  • Resolved eftcolumbus

    (@eftcolumbus)


    3 years, 11 months ago

    Hi, I got a high alert yesterday that An admin user with the username *** was created outside of WordPress. This did happen and it was legit creation by my web admin through wpo panel, but it happened 3 months ago. Admin user created Sept 23, last login Oct 4, Wordfence warning Dec 17. Why is it warning me so late? If it were a malicious admin user, then not finding out for 3 months would be bad.

    Here is screenshot:

    12.18.2020-10.26.27

    Could other activity other than admin user creation trigger this warning?

    PS. I tried to search on this multiple times in this form but all searches just said “loading” and never produced results, so I apologize if this was already covered.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @eftcolumbus,

    This is quite a strange one due to the timescale difference. However, if it is related to a legitimate user and you don’t see any other strange/unknown admin users in your list then I don’t think we have reason to be concerned. If you are unable to ignore or mark as fixed, you can deactivate Wordfence momentarily and re-activate it again. The reactivation will learn the current set of admins and should stop flagging it.

    Important note before deactivating Wordfence:

    Ensure that “Delete Login Security tables and data on deactivation” in Wordfence > Login Security > Settings and “Delete Wordfence tables and data on deactivation” in Wordfence > Tools > Import/Export Options are NOT selected.

    Let me know how you get on!

    Thanks,

    Peter.

    Thread Starter eftcolumbus

    (@eftcolumbus)

    I can mark this one as fixed, my concern is that it was 3 months late. If it had been malicious it would have been a big problem, so I do think there is reason to be concerned.

    It’s like your burglar alarm not working when a good friend enters your house when you aren’t home, that in itself isn’t a problem but it shows there is a bigger problem that needs to be addressed as it also wont’ protect you when a bad guy shows up.

    How can this be debugged?

    Plugin Support wfpeter

    (@wfpeter)

    Hi @eftcolumbus, I’ve had a word with the development team to further investigate this for you.

    If you have restored a partial site backup for some reason, if it included Wordfence’s tables, could be a trigger for the alert you’ve seen.

    Modifying the admin’s details manually (such as email address) shouldn’t normally cause this, because it’s based on the ID of the admin. However, if you have custom roles or a plugin that modifies roles such as a membership/store plugin, or if it’s a multisite where the user has different roles on different sites, that could be a cause.

    One other possibility might be if the Wordfence scan wasn’t working for a while, and started working again, like if the host was blocking something or a resource limit caused it to fail. If you’ve seen other scan results in the meantime, that wouldn’t be the case.

    Thanks again,

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘3 mos late: An admin user with the username *** created outside of WordPress’ is closed to new replies.