Admin successfully logged in but was not Me

  • Resolved Stephen

    (@ssgconline)


    2 years, 11 months ago

    Hi,

    I received this email from WordFence this morning….
    (Name of website & Admin have been changed for privacy reasons)

    ‘On 9/12/21, 9:36 am, “WordPress” <[email protected]> wrote:
    This email was sent from your website “ZYX Fishing” by the Wordfence plugin at Thursday 9th of December 2021 at 09:36:59 AM
    The Wordfence administrative URL for this site is: https://zyxfishing.com/wp-admin/admin.php?page=Wordfence
    A user with username “ABCDEFGadmin” who has administrator access signed in to your WordPress site.
    User IP: 54.191.137.17
    User hostname: ec2-54-191-137-17.us-west-2.compute.amazonaws.com
    User location: Boardman, Oregon, United States`

    Now I have a static IP address & live in Australia. Usually the WordFence Alerts for when I login correctly shows my IP address & city correctly.

    HOSTING SUPPORT Reviewed the logs & told me:
    I have reviewed the reported issue and noticed the following in the log of the application:

    [09-Dec-2021 11:20:56 Asia/Singapore] PHP Fatal error: Unknown: Failed opening required ‘/home/…../wordfence-waf.php’ (include_path=’.:/opt/alt/php73/usr/share/pear’) in Unknown on line 0

    It appears that the .user.ini and .htaccess files contained an incorrect path to the mentioned website, thus the “Wordfence” plugin was not working as intended.

    I have now reset the wp-admin password, but wondering if anyone else has had this problem?

    Thanks,
    Stephen

    • This topic was modified 2 years, 11 months ago by Stephen.
Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @ssgconline

    As you have had an unauthorized login from a location outside of your country then we recommend that you follow our site cleaning guide below. The login is additionally suspicious because it is from an IP address belonging to a hosting provider and not an internet service provider:

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    The PHP error is because the file path to the wordfence-waf.php file as set via the auto_prepend_file PHP directive that optimizes the firewall, does not match the actual file path to the wordfence-waf.php file on the server.

    Have you optimized the firewall again successfully? It may have been modified maliciously.

    Thread Starter Stephen

    (@ssgconline)

    Thanks Phil,

    My Hosting Provider got me up & running again plus ran a Malware scan which showed I was not infected.

    Wordfence Firewall currently says “Learning Mode Until December 12, 2021”.

    Should I interrupt that somehow & reconfigure the Firewall & let it keep learning?

    Regards,
    Stephen

    Plugin Support wfphil

    (@wfphil)

    Hi @ssgconline,

    Thank you for the update.

    Did you find out the legitimate reason for the login?

    Full instructions for Learning Mode are here:

    https://www.wordfence.com/help/firewall/learning-mode/

    Thread Starter Stephen

    (@ssgconline)

    Good morning,

    Wordfence is now in the Enabled and Protecting mode.

    I do not know of any legitimate reason for the login from the USA. It was only from the Wordfence Admin Login email alerts that I saw the successful login from the USA plus the fact it was not my static IP address.

    Thanks for your assistance.

    Regards,
    Stephen

    Plugin Support wfphil

    (@wfphil)

    Hi @ssgconline

    Thank you for the update.

    Despite your hosting provider finding no evidence of malware then that does not mean that your site has not been compromised. As you have had an unauthorized login from a location outside of your country then we recommend that you follow our site cleaning guide below. The login is additionally suspicious because it is from an IP address belonging to a hosting provider and not an internet service provider:

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Hi,
    Do you use namehero? are you a reseller or an individual?
    I have just had the exact same thing happen

    Thread Starter Stephen

    (@ssgconline)

    Hi,

    I don’t use Namehero & I don’t resell Hosting. I have a number of websites on my hosting owned by myself or clients.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Admin successfully logged in but was not Me’ is closed to new replies.