Three times in a month now has WordFence alerted me that “an admin user with the username deleted-XXXXXXXX was created outside of WordPress” (the X’s being a combination of numbers and letters, but different each time) on a WordPress site I’m managing. Both times was the account creation followed by a successful login on the account, according to the WordFence log, and two of the times a bunch of suspicious looking files were found throughout the WordPress installation and content directories.
Further, also an unsuccessful login attempt was made at yet another deleted-XXXXXXXX username one time. No account was created at that username though.
Some of the suspicious files mentioned above looked completely random, and some of them looked like core WordPress files but with random names. The structure kind of looked like old files showing up on a cleaned hard drive, or an installation or update gone wrong halfway through. None of the admin accounts had any details attached to them, not even required details (i.e. email address and nickname).
I’ve cleaned the site, but to me this is too much of a pattern to be regarded some random attacks, considering also that someone on the WordFence plugin forum also reported a deleted-XXXXXXXX admin account being created on their site some time ago.
Does anyone have any idea of what this could be? Did someone else experience the same?
I saved the suspicious files locally before deleting them from the site, should they be of any help.
Any help or advice appreciated.
[ad_2]