New users injected into site when registration disabled

  • Resolved cenay

    (@cenay)


    2 years, 4 months ago

    Hello and thanks in advance for any help.

    A little background before we begin. I’ve reached out to Stripe support (because injected new “users” in WordPress site were becoming new “customers” in my Stripe dashboard) and they determined the entries to Stripe were coming from WooCommerce Stripe Gateway plugin.

    Reached out to WooCommerce and they had me “harden” my site a little further and roll all my keys again (I think I am on fourth time here). Changed all passwords again. Still coming in. Only now the new “users” in WordPress are not ALSO winding up in my Stripe “Customers” list. Progress.

    After changing passwords, authentication levels and keys on EVERY entry point on my system, and forcing all users to logout (changed my wp-config salts) and changing the admin account (there is only one) password a 5th time, I am baffled at how a new user can come into my WordPress site. Again.

    I’ve made videos for each of the various places I requested support which I am happy to provide, or here’s the latest one (for WooCommerce after the 2nd round of hardening with blurs on sensitive information): https://www.screencast.com/t/44DZ1Vtj4ic

    Thanks in advance for any help.

    WordPress version 6.0.1
    WooCommerce: 6.7.0
    WooCommerce Stripe Gateway: 6.4.3
    New user registration disabled.

    Cenay’

    PS: I use app specific passwords, 2FA in every available location and have hardened my site pretty thoroughly over the course of the last 4 or 5 years. This new one is currently beyond me so all help, suggestions or comments are welcome.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wpnomad a11n

    (@wpnomad)

    Hi there,

    This is really odd. Can you please check how many Admin users you have on your site? You can check that from WP-Admin > Users > All Users. Do you see any admin user there that you do not recognize?

    Also, can you please check if there are active Rest API keys at WP-Admin > WooCommerce > Settings > Advanced > Rest API?

    Do let us know so we can guide you further.

    Thread Starter cenay

    (@cenay)

    Thanks for the reply.

    Made a video with the answers here: https://www.screencast.com/t/g348LoZC8zDx

    RECAP for the forum: Two admin users, both are me. One is used when I need tech help so I can supply credentials and then change them out, the other is me. Password on that account was changed out four times now, last one yesterday. No Rest API keys, Legacy Rest is not enabled.

    65 new users added since I submitted the ticket yesterday.

    Thanks in advance for any help!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘New users injected into site when registration disabled’ is closed to new replies.

Tags