Around 30% of the WordPress sites we receive these days have rogue WordPress users, and the hacking technique of creating rogue users on WordPress is spreading.

*The contents of this page were created based on the results of Sucuri’s survey
https://blog.sucuri.net/2024/06/2023-hacked-website-malware-threat-report.html

User IDs of unauthorized users created in WordPress

1. wp_update-random alphanumeric
2. wp-demouser-44
3. Test-random alphanumeric
4. wp-import-user
5. administratoirr
6. administratoir
7. wwwadmin
8. wpadminns
9. Sendsdesr
10. AdminZaxHH34
11. rxrhack133

In our experience, other common fraudulent username is ismm.

User email addresses of fraudulent users created in WordPress

The email addresses used by the above malicious users are as follows

1. wadminw@wordpress.com
2. 123@abc.com
3. email@email.em
4. support@wordpress.com
5. admin@gmail.com
6. wp-security@hotmail.com
7. wordpressuser@gmail.com
8. admin@admin.com
9. test@gmail.com
10. mail11@maill5.xyz

What to do if an unauthorized user is generated in WordPress

WordPress users can be found in the User List screen of the Administration page.

Generally, there are only a few administrator users at most, but check to see if there are any users with email addresses you do not remember creating. Check to see if there are any users with email addresses that you do not remember creating or that are not in use.

If an unauthorized user exists on your WordPress site, it means that a hacker can log in to your site with that user and do anything he/she wants, including altering the site content, modifying program files, and installing malicious programs.
Please back up your database and remove such users or change their passwords so that hackers cannot log in.

How do I eliminate the cause of the creation of an unauthorized user?

The creation of an unauthorized user means that the hacker has access to your site’s database and can write data to it.

The most common way to do this is to use a plugin that directly rewrites the database or some vulnerability in the theme. (Database rewritable vulnerabilities are rarely found, and most of them can only rewrite limited parts of the database.)

The most common scenario is that a vulnerability that allows file tampering or file installation is used to install malware files, and then an unauthorized user is written to the database.

It is therefore important to eliminate such malware called backdoors.
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

After removing the malware, it is also important to close the vulnerabilities that allowed hackers to install malicious files on your site in the first place.

Reference page
5 Free WordPress Security Measures