Can a user submit requests to wp-admin/admin.php without logging in?

No, this is a red herring that has nothing to do with the problem, likely from a misunderstanding of what WP user login sessions are tracking.

The TLDR: It’s probably because they logged out.

The problem is that the user that it was done under hasn’t been logged into in about a year according to the admin screen “last logged in” date. The same date shows in the Sucuri plugin’s login security area. I don’t see any login activity for this user at all.

Not necessarily, WP user login sessions aren’t tracking when they last logged in, they’re tracking when that specific login session that is still active last logged in. Newer sessions that have ended don’t appear here as they’ve been cleaned up

But keep in mind if they’ve compromised the site they don’t need a login. They could directly modify any of the data you’re looking at, or bypass WordPress entirely. If you’ve identified how they got in you need to close that as soon as possible. Analysis can happen afterwards.

Is it possible for a user to be submitting requests to wp-admin/admin.php without actually logging in?

Normally no, unless new additional PHP code had been introduced to explicitly allow it, it would redirect to a login page. A quick read of admin.php reveals an auth_redirect call near the top.

However by your own admission the site is already compromised so all of that goes out the window since the attacker could have modified files, or executed their own code, and you’ve already identified malicious code in a code snippet plugin!

Or is it more likely that they are logging in as that user somehow and then deleting the login record?

WordPress does not keep login records!

WordPress Sessions Are Not What You Think They Are

WordPress keeps track of active login sessions. E.g if you login on a phone, then login on a tablet, 2 sessions are tracked. This is so that you can force all devices to log out from the dashboard and invalidate those login sessions.

What they are not, is a record of when people logged in because of the simple fact that logging out destroys a session and removes it from the database.

If I login then logout there is no trace of that session. This means I could log in today then log out, and as long as I never use this machine again I could login as many times as I want on another device and you would never know, as long as I clicked logout.


In general though, wether WordPress normally does or doesn’t allow these requests is irrelevant, your site has compromised code that can change it to whatever the attackers want. Removing that malicious code is the number 1 priority.

Also if you could make direct requests to admin.php and bypass authentication/login then that’d be a massive security hole for almost half the internet, the kind of news that would make it into printed newspapers with high profile targets hacked.

tech