Hello everyone. Basically I work with customers that hosts websites on WordPress, and I noticed that a lot customers in the last recent days have reported that their websites been affected/ injected with malware. After doing some investigation I have noticed that a most of them had some suspicious admin users created with the username MUWY. Like basically all of them had this user created.
I just wanted to see if there is anyone who had that same user added on their website and if you have any clue where it could be coming from. Is there any way for me to trace back where the user was created from exactly? That could potentially stop users from getting breached in the future.
I have guided all of them, to remove the users they are unaware of, remove any plugins and themes that seems sus, update the current plugins and the themes, change all of the users passwords, change password of the database and set up 2FA on their website, but I am afraid there will be more of them with the same exact user added.
Hopefully I can get some guidance on this one or find some people with the same exact issue 
Have a nice day!
↧
Suspicous backdoor admin users MUWY
↧