Unknown new users

i have a videogame blog, this afternoon (6 hours ago) i saw that a new user register himself as Admin and deactivate all my plugins. I immediately deleted that user and update everything i have to update, i thought i was safe but about 10 minutes ago i found another user created by a mail ending with “@wordpress.org” registered as Admin. I put a wordfence rule that every IP that tried to register a new account from the admin panel is blocked and the new account is actually blocked. There is any vulnerability on wordpress or was i hacked? I tried to read the log and saw no new IP and none of the admin account were hacked (two account, both with 2fa)

Do you have any advice?

  1. Make sure you have disabled new user registration, and don’t have any plugins or themes with security issues installed.

    There are no current security issues with WordPress itself, but your plugins and themes, maybe?

  2. I bet they dropped code somewhere else that’s letting them back in. Wordfence should find it though.


This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer