Wordfence shows logins from unknown user IDs

  • Resolved Vijay Padiyar

    (@vijaypadiyar)


    6 years, 10 months ago

    Hello

    Recently I installed Wordfence on my website after I found out that it was hacked. After that, I got two emails from Wordfence showing successful logins from two unknown user IDs. And apparently, both those IDs had administrator privileges. I also checked and found that my site’s theme had been hacked again.

    Email from Wordfence below:

    A user with username “qaz” who has administrator access signed in to your WordPress site.
    User IP: 5.25.8.37
    User hostname: 5.25.8.37
    User location: Istanbul, Turkey

    I logged in to WordPress and confirmed that those two user IDs don’t exist on my site. I also checked directly in phpMyAdmin just to be sure there were no hidden login IDs, but I couldn’t see them.

    I want to know how I can find out and delete these unauthorized login accounts? Can anyone help please? One mistake from my side was that my website was running a slightly old version of WordPress. I have now upgraded to the latest version, but I am not sure if that alone can fix this problem.

    Please help!!

    Regards

    Vijay

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)

  • You have been compromised by criminals, simply deleting user accounts will probably do nothing. If you want to delete them, do it in the database. If you can not find the user accounts in the DB, they do not exist. If they were hackers perhaps they created the accounts, did their crime, then deleted the accounts to cover their tracks. To cure this, you need to perhaps wipe your site and start over using your backups, but from the start install WordPress with proper security, or perhaps pay for site cleaning from Wordfence. MTN

    • This reply was modified 6 years, 10 months ago by mountainguy2.
    Thread Starter Vijay Padiyar

    (@vijaypadiyar)

    Yes I finally managed to determine how the unknown user accounts were being created. The hacker had added a PHP script to my WordPress wp-admin directory which allowed them to view and add/remove WordPress accounts directly into MySQL. I removed that file and also changed all my passwords (MySQL database, WordPress and cPanel).

    Hi Vijay,
    It’s clear that your website was compromised with certain backdoor, and steps you mentioned in your latest reply are great, however I would recommend following instructions mentioned in “How to Clean a Hacked WordPress Site using Wordfence” article to make sure you cleaned your website completely, knowing that certain infections might affect the whole server not only your website and those will require hiring a site cleaning professional along with help from your hosting provider as well.

    Thanks.

    Sorry to post here but I have a similar situation. I found the user in my admin panel as well as my database. “Ptouploader” with admin prevliges and apparently under my own IP.

    I recently ran into this a couple months ago and came across this post. I changed all my passwords, increased security measures and reconfigured my server firewall to only accept my IP as whitelist. I later recreated the cPanel account and uploaded the previous content manually to make sure I don’t upload any corrupt files. Unfortunately 2 months later, a couple days ago,I noticed the same user has an account. What can I do to determine how they gained access and also why my networks didnt find it sooner? Thank you for any help or direction!

    Hello Vijay Padiyar,

    What file did you remove from your WordPress wp-admin directory?

    Thanks

    ebakker

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Wordfence shows logins from unknown user IDs’ is closed to new replies.

Tags