Spam Registrations

I suspect that there is malware files on your system that is allowing those user registrations. There are lots of googles/bings/ducks on how to clean a hacked system. (I use my own procedure here.)

What I would do is these things:

  • change all credentials everywhere (hosting, FTP, admin etc)
  • create a new admin user with a very secure password, log in as it (to verify it works), then demote the current admin user(s) to lowest level. Especially if your admin user is called ‘admin’.
  • disable xmlrpc.prg on your site (that can be a hack intrusion point)
  • reinstall WP (use the Update on the dashboard).
  • reinstall all theme from good sources via FTP. Do the same for all plugins
  • Manually look at all files in all folders on your site for ‘bad’ files. Sorting by date helps, since you updated everything – all updated files should have the same datestamp, so unwanted files will stick out. Don’t forget to look at all hidden files, including htaccess.
  • look at generated source code of pages to ensure nothing funky in there

The site can be cleaned (I’ve done it, which is how I developed my procedure). But IMHO there is a strong possibility of malware code on your site allowing those registrations.

Related Posts:

  1. what is a auth_user_file.txt?
  2. How to view PHP on live site
  3. Is moving wp-config outside the web root really beneficial?
  4. Hide the fact a site is using WordPress?
  5. Verifying that I have fully removed a WordPress hack?
  6. Can I Prevent Enumeration of Usernames?
  7. Best way to eliminate xmlrpc.php?
  8. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  9. Should I remove install.php and install-helper.php?
  10. Are Nonces Useless?
  11. What is the difference between esc_html filter vs attribute_escape filter?
  12. How do I technically prove that WordPress is secure?
  13. Which KSES should be used and when?
  14. How do WordPress Nonces Work?
  15. How can I easily verify a core or plugin update has not broken anything?
  16. Disable comment windows for all existing posts (pages/blogposts)
  17. Generate WordPress salt
  18. Vanilla WordPress install, what can/should I put in disable_functions?
  19. Stop wordpress automatically escaping $_POST data
  20. Secure my “add_settings_field” translation?
  21. how can i embed wordpress backend in iframe
  22. Handling nonces for actions from guests to logged-in users
  23. WordPress Logout Only If User Click Logout or If User Delete Browser History
  24. Can I force a password change?
  25. How brute-forcer knows that the password is cracked for target username?
  26. wp_insert_post disable HTML filter
  27. What is pclzip.lib.php file that wordfence think it’s a malicious code
  28. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  29. How to disable XML-RPC from Linux command-line in a total way?
  30. How to remove javascript malware in wordpress site [closed]
  31. Completely remove the author url
  32. Securing my WordPress Files and Directories
  33. Restricting access to content
  34. About WordPress site security
  35. Single sign-on: wp_authenticate_user vs wp_authenticate
  36. How to allow internal links using wp_kses filtration
  37. How does Cross Site Scripting (XSS) work exactly? [closed]
  38. Relative security of different releases of WordPress
  39. How does the “authentication unique keys and salts” feature work?
  40. vs WordPress Security
  41. esc_html__ security : what for in this example?
  42. Using HTACCESS for Secret Access
  43. wp-config.php being written by attacker
  44. Definitive wordpress directory ownership and permissions on linux
  45. XML-RPC errors they know my username?
  46. Is [admin / admin] acceptable for all local websites?
  47. Simple Online Payment for Event Registration [closed]
  48. What may be causing failure of auto-install features in WordPress (v3.0.3)?
  49. Client side HTTP parameter pollution (reflected)
  50. Local file inclusion critical security issue [closed]
  51. Malware script in database post table only? [closed]
  52. Best practices to assert current_user_can() with guests
  53. wordpress website host price and security [closed]
  54. XMLRPC slow and weird websites/services
  55. Are there security risks in working directly in the themes folder that builds into a theme folder?
  56. Is it safe to hand over the admin rights?
  57. how much information can we hide when using wordpress cms?
  58. How to find exploited wordpress plugin [closed]
  59. How I can open back door for myself?
  60. Basic password protection without using users and roles
  61. System setting changed by system user
  62. Does meta-data need to be sanitized?
  63. How can I force a specific password?
  64. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  65. Who updates the wp-admin/core file?
  66. How WordPress sanitizes post content on save? Or it doesn’t?
  67. Does this code indicate an exploit?
  68. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  69. How to prevent to direct access of my custom plugin folder/files
  70. Checking for origin of a xmlrpc request
  71. RESTRICT EDIT of PHP files?
  72. wp-content – permissions for files/folders created by apache
  73. How can I restrict access to specific parts of a page, not just the page itself?
  74. Has anyone developed a anti-spam plugin to simply allow users to BLOCK whatever they wish to, but one that will also go easy on IP addresses?
  75. User generated content and security
  76. Monitor wordpress all external calls
  77. HSTS header not being added correctly
  78. how to protect wordpress content from crawler
  79. Securing WordPress running on Azure platform
  80. Can WordPress admin user + database credentials be used to gain Cpanel or FTP access?
  81. Should I worry about SQL injection when using REST API?
  82. How can I have more confidence that WP plugins aren’t getting and storing user data?
  83. Standard Method for Securing a WordPress Site
  84. wordpress security (only one part of the site)
  85. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  86. Any way to disable /wp-login.php redirecting to the site folder?
  87. Folder Permissions + Security Concerns
  88. Malware/Permission bug removal?
  89. Could a user account with a stolen password compromised entire WP site?
  90. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  91. Secure a WordPress website in 2019: one plugin or a combinations of them?
  92. What are the different types of firewall protections available for a WordPress website?
  93. Run a security scan on WordPress site that has .htaccess password [closed]
  94. Is this a WordPress security bug?
  95. Competitor is somehow accessing MetaData on a hidden WordPress site
  96. WordPress Hacks/Defacing [closed]
  97. Move data from wp-config to another file
  98. Heartbleed: What is it and what are options to mitigate it?
  99. OpenVPN vs. IPsec – Pros and cons, what to use?
  100. How to test if my server is vulnerable to the ShellShock bug?