An admin user with the username was created outside of WordPress

Discussion in 'Server Operation' started by onastvar, Oct 29, 2023.

  1. onastvar

    onastvar Member

    On many of websites on my server I am getting the following:

    Wordfence found the following new issues on "My Website".
    Alert generated at Saturday 28th of October 2023 at 07:52:11 PM
    See the details of these scan results on your site at: https://mywebsite.com/wp-admin/admin.php?page=WordfenceScan
    High Severity Problems:
    * An admin user with the username wpcore was created outside of WordPress.


    Any ideas on what steps to take to identify root cause of the issue?
     
    Last edited: Oct 29, 2023
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    This is not ISPConfig problem and a simple google will show you various explanation about it and the way on how to possibly fix it.
     
  3. onastvar

    onastvar Member

    Thanks for your time and your post.
    I was asking community for any tips, not just "use google"?

    Server is running ISPConfig, therefore I posted here.
    I'm not sure what is the root cause of the issue, could be anything.
    I already used google.
    What do you mean by "simple google" and what explanations are you referring to?
     
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

  5. onastvar

    onastvar Member

    Thanks for that, I appreciate it.
    I already checked most of those links, no valuable information, or solutions to find the root cause.
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Sorry, there is not much that I can do further to help if you cannot comprehend any them to find the root cause of your problem and solve it. May be someone else more helpful will come along and assist you.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    I've moved the post to the general server admin forum.
     
  8. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    it means check all the server logs for any likely activity between the last clean wordfence scan and this alert..

    maybe an old/compromised plugin is able to run commands outside of the wordpress backend. may someone has managed to access your root login, or the ssh login for the site owner. wordpress accounts can be created directly in mysql. or using wp-cli.
    maybe your mysql instance is open to direct access from the internet.
    is xmlprc enabled? and used? not only can hundreds of user/password combinations be tried in a single xmlrpc call, it can also be used to create wordpress user accounts.

    the only steps to take are to change all passwords for root/admin accounts (including services such as mysql), change all passwords related to the affected sites owners logins, (all panels, all services, all sites). update everything that has an update available.. wp, plugins, themes, OS. run every scan you can get to search for viruses/malware/vulnerabilites on all sites, and the OS. And carefully check every log file for anything that might indicate how the account was created.. ie. wordpress logs, apache logs, mysql logs, php logs, auth.log, syslog etc.. check command history logs for all user accounts.. see if anything managed to escalate to root access, etc..

    it's going to be a long tedious process..
     
    onastvar likes this.
  9. onastvar

    onastvar Member

  10. faille

    faille New Member

    Check each log file carefully for anything that might indicate how the account was created. ALso the command history logs for all user accounts. Maybe this will help you find out the reason here
     
    Last edited: Nov 7, 2023
    onastvar likes this.
  11. onastvar

    onastvar Member

Share This Page