[Defender] Defender locking out users for invalid 404 requests, potential hack responsible

Currently experiencing a high number of lockouts for regular url requests. Also, site appears to be compromised as new admin accounts are appearing.

  • jeroen
    • New Recruit

    Hi Rory,

    the fact that new admin accounts are appearing is definitely unsettling. probably, the first thing (you've already did this) changing your admin passwords is a good idea. Also, blocking out admin users that aren't yours is advised.

    The thing is, you would like to know where this compromise originated so a security check on your wp page is a great start to figure out how this happened. Also, if you are using a local environment to communicate with your website (ftp/sftp) the origin of this issue could be on your own computer, so a virus check for possible trojans and stuff could prevent this from happening.

    there's quite a lot of options for you to resolve this, and besides WPMU DEV help, I've found a helpful article in the Wordpress codex; https://codex.wordpress.org/FAQ_My_site_was_hacked

    I hope this will be of help, good luck!

  • Kasia Swiderska
    • Support nomad

    Hello Rory,

    I'm sorry to hear about those issues :slight_frown:

    Have you run the file scan on your site? I checked your site also in Sucuri scanner, but it didn't show any signs of the malware present on your site.
    But those admin accounts are not a good sign. As suggested by jeroen this is good start guide https://codex.wordpress.org/FAQ_My_site_was_hacked - it would also be good to contact your hosting provider about this.

    kind regards,

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.