New unauthorized admin accounts created in backend daily

  • Looks like one of my client’s site that I built calgaryrenovationcontractors.com is being hacked.
    It’s been now about a week since it gets one-two administrators added in the backend daily. And it looks like the hacker(s) somehow does the password reset by doing the forget password feature.
    The site is very well secured and clean and my host keeps checking it and confirms there are no malicious codes or flies on the server. The main admin password is not being changed though even that they do the password reset for them to break in.
    My host is very clean and secured and the support said there is no other protection from it besides setting up a two-way authentication.
    But it’s got to be an exploit or some file injected or some WordPress vulnerability that hackers use to create new admin accounts.
    Can you please help?

    Thank you!

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Your site has been hacked.

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter egoruk

    (@egoruk)

    Yes, I know about this guide and once again, my site is very clean and well protected.

    My question was about a possible new exploit or a URL hack that allows hackers to request a password reset and create a new admin in the dashboard.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    We do not discuss vulnerabilities here. You might want to follow the blogs on WordFence’s site or Sucuri’s site.

    If the bad stuff is still happening on the site, your site is *not* clean.

    Thread Starter egoruk

    (@egoruk)

    I don’t use Wordfence. I asking about possible WordPress vulnerability that allows hackers to exploit the Forget password feature in order to do the password reset (only for them) and then create new admins.

    Also, my host ran maldet scan and the site is clean!

    Thank you!

    • This reply was modified 5 years, 5 months ago by egoruk.

    Hi @egoruk

    Just to share some humble experience.

    Some days ago I’ve experienced something similar on my site.
    I used disable_password_reset snippet from this advice https://www.isitwp.com/disable-the-allow_password_reset-feature/ to disable password reset feature (I didn’t use second ‘cosmetic’ snippet to hide text).
    Additionally I used WPS Hide Login plugin https://www.ads-software.com/plugins/wps-hide-login/ to change login page URL into something random.
    Since that the ubnormal login activity seems to be stopped.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘New unauthorized admin accounts created in backend daily’ is closed to new replies.