On many of websites on my server I am getting the following: Wordfence found the following new issues on "My Website". Alert generated at Saturday 28th of October 2023 at 07:52:11 PM See the details of these scan results on your site at: https://mywebsite.com/wp-admin/admin.php?page=WordfenceScan High Severity Problems: * An admin user with the username wpcore was created outside of WordPress. Any ideas on what steps to take to identify root cause of the issue?
This is not ISPConfig problem and a simple google will show you various explanation about it and the way on how to possibly fix it.
Thanks for your time and your post. I was asking community for any tips, not just "use google"? Server is running ISPConfig, therefore I posted here. I'm not sure what is the root cause of the issue, could be anything. I already used google. What do you mean by "simple google" and what explanations are you referring to?
https://www.google.com/search?q=An+admin+user+with+the+username+wpcore+was+created+outside+of+WordPress
Thanks for that, I appreciate it. I already checked most of those links, no valuable information, or solutions to find the root cause.
Sorry, there is not much that I can do further to help if you cannot comprehend any them to find the root cause of your problem and solve it. May be someone else more helpful will come along and assist you.
it means check all the server logs for any likely activity between the last clean wordfence scan and this alert.. maybe an old/compromised plugin is able to run commands outside of the wordpress backend. may someone has managed to access your root login, or the ssh login for the site owner. wordpress accounts can be created directly in mysql. or using wp-cli. maybe your mysql instance is open to direct access from the internet. is xmlprc enabled? and used? not only can hundreds of user/password combinations be tried in a single xmlrpc call, it can also be used to create wordpress user accounts. the only steps to take are to change all passwords for root/admin accounts (including services such as mysql), change all passwords related to the affected sites owners logins, (all panels, all services, all sites). update everything that has an update available.. wp, plugins, themes, OS. run every scan you can get to search for viruses/malware/vulnerabilites on all sites, and the OS. And carefully check every log file for anything that might indicate how the account was created.. ie. wordpress logs, apache logs, mysql logs, php logs, auth.log, syslog etc.. check command history logs for all user accounts.. see if anything managed to escalate to root access, etc.. it's going to be a long tedious process..
Check each log file carefully for anything that might indicate how the account was created. ALso the command history logs for all user accounts. Maybe this will help you find out the reason here
