Wordfence Deactivated

  • Resolved Martin

    (@orgy-of-life)


    5 years, 5 months ago

    Hi Guys
    I received this email (below) and Wordfence had been removed, nothing else had been changed. Any help greatly appreciated. I definitely had the correct plugin installed.

    This email was sent from your website “my website” by the Wordfence plugin at Friday 25th of October 2019 at 04:01:15 PM The Wordfence administrative URL for this site is: https://my website/wp-admin/admin.php?page=Wordfence
    A user with username “Matt” deactivated Wordfence on your WordPress site.
    User IP: 77.111.247.82
    User hostname: 77.111.247.82

    Best
    Martin

Viewing 8 replies - 1 through 8 (of 8 total)

  • Hey @orgy-of-life,

    Do you have an admin on the site with the username “Matt”? If you navigate to WordPress Dashboard > Users do you a user with the username “Matt”? The message is alerting you to the fact that a user with the username “Matt” deactivated Wordfence.

    Please let me know.

    Thanks,

    Gerroald

    Thread Starter Martin

    (@orgy-of-life)

    Hi Gerroald

    Thanks for your reply, yes there was, I have now removed him. I have absolutely no idea how he got on there, I don’t allow new subscribers or admin or anything else.

    Thanks for your help.

    Best

    Martin

    Hey @orgy-of-life,

    Thanks for the update, and happy to hear it.

    If you (or not other admin) added this user it is a little worrisome. If the user returns, or any other oddities I’d suggest reaching out to a professional hack repair service to have the site cleaned and the point of entry patched. You can also use the guide below to do this if you’re comfortable with it.

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Please let us know if anything else comes up.

    Thanks,

    Gerroald

    Thread Starter Martin

    (@orgy-of-life)

    Hi Gerroald

    Thanks so much for your help.

    Best

    Martin

    So I came across this topic after the same issue happened to me, but it just happened to me on 4 of my client sites. Same username of “Matt” but slightly different IP from user who posted this (below). I got a Wordfence email saying they signed in as an admin (which they shouldn’t be) and then I got the email saying they deactivated Wordfence.

    This is definitely concerning and the one thing I can think of in common with all 4 sites is that they are on a shared server we use to host several sites.

    First thing I want to know is:

    1. Can I delete the user without expecting any problems?
    2. Can I re-install Wordfence without expecting any issues?

    Obviously I’m considering some kind of professional malware clean up but unfortunately it’s not on a popular hosting platform like GoDaddy or Bluehost which offers services for malware cleanup.

    Any other suggestions? Thanks!

    A user with username “Matt” who has administrator access signed in to your WordPress site.
    User IP: 77.111.247.183
    User hostname: 77.111.247.183
    User location:

    Thread Starter Martin

    (@orgy-of-life)

    Hi MarkMadeDesign

    I have removed the user and everything is fine, at least for now the user has not reappeared. I also ran the scan as suggested by Gerroald (see his link) which didn’t find any problems. So hopefully it’s resolved, still have no idea how it got there though.

    Best

    Martin

    Thanks @orgy-of-life !

    When you say “scan” do you mean Wordfence scan and if so, did you simply re-install it back on the site it was deactivated from, with no problems? I did remove this random Matt admin user from the 4 sites I was notified about, with no issues. Just want to get Wordfence back up on the sites so I can scan like normal.

    Thread Starter Martin

    (@orgy-of-life)

    Hi MarkMadeDesign

    Yes that is correct, I reinstalled Wordfence and ran the scan using the High Sensitivity option.Seemed fine.

    Best

    Martin

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Wordfence Deactivated’ is closed to new replies.