Hi,
last week, I found that an unknown user(admin role) called supportuser has been created on my WordPress site. I contacted my hosting company(siteground), and they did malware scan for me, but they did not find anything wrong.
After that, I have deleted the unknown user and used Wordfence to scan my site again, and found that a PHP file of my plugin has been modified. (please see screenshot)
Wordfence reported that is a backdoor. I removed that file from my site and send a copy to siteground for check. (but they told me what they can do is add the file to their malware definitions)
Yesterday, same issue happened! same admin user account(with same email and username) has been created on my site again. I am not sure is it related to the malicious file that I already deleted, or some other files has been infected.
I also checked the access logs between the time that unknown user has been created, but I can’t find any other unknown IP, it looks like the unknown admin account has been created by the WordPress itself. (i am not sure)
Some informations of the unknown admin user:
username: supportuser
email: supportuser7209@mailinator.com (i think this email is a disposable email)
Please help me.