Hi @luisdesousa, Thank you for reaching out to us.
The username appears to be suspicious. I suspect a breach may have already taken place prior to the login attempt using an exploitable way in – such as a vulnerable plugin, compromised admin password, etc.
I would recommend that you follow our site cleaning steps below:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Make sure to get all your plugins and themes updated and update the WordPress core, too. As a rule, any time I think someone’s site has been compromised, I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this because attack vectors around your hosting or database environments are outside of Wordfence’s influence as an endpoint firewall.
We recommend using long, unique passwords along with 2FA for your administrative accounts. This might assist if the attackers are using an existing compromised admin account to create this user and elevate the privileges.
You might also find the WordPress Malware Removal section in our Learning Center helpful: https://wordfence.com/learn/
If you’re unable to clean this up on your own, there are paid services that will do it for you. Wordfence offers one, and there are others. Per the forum rules, we’re not allowed to discuss Premium here, but please reach out to us at [email protected] if you have any questions about it.
Regardless, if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.
Thanks,
Mark
