Can a user submit requests to wp-admin/admin.php without logging in?

No, this is a red herring that has nothing to do with the problem, likely from a misunderstanding of what WP user login sessions are tracking.

The TLDR: It’s probably because they logged out.

The problem is that the user that it was done under hasn’t been logged into in about a year according to the admin screen “last logged in” date. The same date shows in the Sucuri plugin’s login security area. I don’t see any login activity for this user at all.

Not necessarily, WP user login sessions aren’t tracking when they last logged in, they’re tracking when that specific login session that is still active last logged in. Newer sessions that have ended don’t appear here as they’ve been cleaned up

But keep in mind if they’ve compromised the site they don’t need a login. They could directly modify any of the data you’re looking at, or bypass WordPress entirely. If you’ve identified how they got in you need to close that as soon as possible. Analysis can happen afterwards.

Is it possible for a user to be submitting requests to wp-admin/admin.php without actually logging in?

Normally no, unless new additional PHP code had been introduced to explicitly allow it, it would redirect to a login page. A quick read of admin.php reveals an auth_redirect call near the top.

However by your own admission the site is already compromised so all of that goes out the window since the attacker could have modified files, or executed their own code, and you’ve already identified malicious code in a code snippet plugin!

Or is it more likely that they are logging in as that user somehow and then deleting the login record?

WordPress does not keep login records!

WordPress Sessions Are Not What You Think They Are

WordPress keeps track of active login sessions. E.g if you login on a phone, then login on a tablet, 2 sessions are tracked. This is so that you can force all devices to log out from the dashboard and invalidate those login sessions.

What they are not, is a record of when people logged in because of the simple fact that logging out destroys a session and removes it from the database.

If I login then logout there is no trace of that session. This means I could log in today then log out, and as long as I never use this machine again I could login as many times as I want on another device and you would never know, as long as I clicked logout.

In general though, wether WordPress normally does or doesn’t allow these requests is irrelevant, your site has compromised code that can change it to whatever the attackers want. Removing that malicious code is the number 1 priority.

Also if you could make direct requests to admin.php and bypass authentication/login then that’d be a massive security hole for almost half the internet, the kind of news that would make it into printed newspapers with high profile targets hacked.

Related Posts:

  1. Logout USER form backoffice after 30 minutes of inactivity [closed]
  2. Hide username discovery
  3. CSRF attack to create USER
  4. How to check if a user is in a specific role?
  5. Can I rename the wp-admin folder?
  6. How to restrict dashboard access to Admins only?
  7. Admin Page Redirect
  8. Check if user is admin by user ID
  9. What is the best method to close off the backend?
  10. Change Login URL Without Plugin
  11. Share same domain for wp-admin but for different website
  12. How to display the user that published a pending post?
  13. Custom user role that can only edit specific (non-custom-type) page and all child pages [duplicate]
  14. Securing wp-admin folder – Purpose? Importance?
  15. Can I rename the wp-admin folder?
  16. Add a button to users.php
  17. create users to site with specific language
  18. Options for restricting access to wp-admin
  19. Display sortable User meta column in admin panel user’s page
  20. How to change “wp-admin” to something else without search-replacing the core?
  21. How to display multiple custom columns in the wp-admin users.php?
  22. Hooking into register_admin_color_schemes
  23. Removing user fields [duplicate]
  24. Block access to wp-admin
  25. Change WP-Login or WP-Admin
  26. Should I add the IP of the server that hosts my sites to the list of authorized IPs in the wp-admin/.htaccess?
  27. wp-admin edit user url wont show up correct url [closed]
  28. password protected post policy
  29. Users Unable to Access Dashboard/Posts/Pages
  30. Stop loading “collaborators” users on add new post or page?
  31. FORCE_SSL_ADMIN not working
  32. Distinguish profile user and admin user IDs / get ID of user being edited
  33. Uncheck the box “Send User Notification” by default on new-user.php
  34. Detecting all admins that are logged in
  35. Limit access to wp_admin
  36. Subscribers become Authors after Upgrade? / Mass Update of Users?
  37. Stopping user deletion from running on error
  38. I want to disable login of admin (/wp-admin) with email and make it accessible only with username
  39. password reset link being sent as HTTP?
  40. Filter dropdown in users.php “delete user” bulk edit screen
  41. Add count for new registered user in Users tab
  42. Users disappeared from wp-admin
  43. How to Change The WordPress Login URL Without Plugin
  44. 404 redirect wp-login and wp-admin after changing login url [closed]
  45. Do I have to face security problems if I changing default role to Contributor
  46. WP admin user search doesn’t return all users
  47. How to get Role Subscribe Users on Admin Menu only in Pages in WordPress
  48. I accidentally deleted an admin user and all their content is now gone from the site. [closed]
  49. Restrict submitters from wp-admin [duplicate]
  50. Efficient way to check local WordPress php files and Database for malicious code? [duplicate]
  51. Renaming wp-admin without hard-coding it. Is it really possible?
  52. Need help for WordPress User Session Management?
  53. Nickname field isn’t appearing in Admin
  54. How to allow WordPress updates to only one specific administrator?
  55. Developer/Designer asking for admin access
  56. Is there a filter to edit html of user-edit.php
  57. Create new user from phpMyAdmin
  58. How do I make it so that the all users page is not a white screen?
  59. Is WordPress secure enough for a multi-user article directory?
  60. define two login page url
  61. Newly created user role not displaying on users screen
  62. How to check if a user is in a specific role?
  63. On Users (user.php) in wp-admin disable/hide “Bulk Actions” and “Change Role To”
  64. Login issue with subdomain installs
  65. Hook into form handle from admin users table
  66. restrict admin panel sections to users
  67. Can I rename the wp-admin folder?
  68. How to keep the plugin submenu open on viewing a custom version of users.php?
  69. Can I rename the wp-admin folder?
  70. Cannot login in WordPress even after changing hash password in phpmyadmin
  71. WordPress User profile page fields missing
  72. Why WordPress not logout after I have close my browser?
  73. Anyone Can Register
  74. How to protect wp-admin from third party access?
  75. Couple questions about .htaccess, login page, updates
  76. Is it possible to tell if a user is logged into WordPress from looking at the cookies which are set?
  77. Extend user search in the users.php page to allow for searching by role and excluding specified email domains from the “users search” input box
  78. Extend user search in the Wp backend area on the users.php page to allow for searching by email domain and role from the “users search” input box
  79. WordPress Users page missing user count next to different types of users
  80. is exposed wp-admin site a serious security vulnerability
  81. Searching for a custom meta from user.php in the admin
  82. How can we make managing lots of pages in WordPress Admin better?
  83. wp-admin pages return ERR_EMPTY_RESPONSE
  84. Unwanted redirect in admin area
  85. Can’t access dashboard, connection times out (other pages work fine)
  86. Getting post meta data, while editing a post in wp-admin panel [closed]
  87. Share Tags Between Custom Posts in Admin
  88. Cannot find an OLD Gravity Form on an OLD Word Press site [closed]
  89. Page update through theme editor caused wp admin to break
  90. How to have WP admin in English while public website is in another language?
  91. Remove “Filter” Button on All Posts in wp-admin
  92. only last option from theme options is being saved to the DB
  93. Cached php? Updates are rendering only if logged as admin
  94. Symlinking WordPress WP-ADMIN and WP-INCLUDES
  95. Why would running an admin check throw a 500 error? I’m calling is_super_admin();
  96. theme injecting css into wp-admin
  97. Custom login form logo not displaying
  98. Stop the user if login from the cookies
  99. Featured image bugging out when using svg
  100. WordPress site shows a white page for site/wp_admin. A login returns again to the login screen
deneme bonusudeneme bonusu veren sitelerpulibet girişOnwin Güncel Giriştürkçe altyazılı pornocanlı bahis casino