Hello,
A WordPress based website that I help out with allows readers to sign up as subscribers to receive newsletters. Recently, we have been experiencing a problem with a hack in which some unknown person or bot would sign up and give the account admin status. It seems that the unknown user can not only give himself admin status but also evade detection by StatCounter. All authorized administrator accounts have hard-to-guess passwords that are changed on a regular basis, and a user activity tracking plugin has been installed so they both rule out logging in with stolen passwords.
SiteLock is currently working with us by scanning the site for malware on a regular basis but other than that, it seems that even they are baffled. Is anyone having the same problem? Does anyone have any suggestions?