Skip to content

wp_new_admin_user

Severity: Critical Signal: wp.user — new user registered with administrator role

What this signal means

A new WordPress user account was created and registered with the administrator role. Newly created admins are unusual — most sites have a fixed set of admin accounts established at launch.

What surprise this prevents

A backdoor admin account created by a compromised plugin or attacker, giving them persistent access long after the initial intrusion.

Why it matters

Creating a backdoor admin account is one of the most common post-compromise actions attackers take. This alert fires immediately so you can verify the account is legitimate before any damage is done.

Investigate

View entity alerts in Logystera →

Check:

  • payload.user_login — is this a known person?
  • payload.user_email — does the email match a known team member?
  • labels.actor — who was the logged-in user who created the account? Was it done programmatically (user_id 0 = no session)?

In WordPress admin, go to Users → All Users → Administrator and find the new account.

  1. Confirm whether this account was legitimately created — check with your team.
  2. If unexpected, delete the account immediately: WP Admin → Users → Find the account → Delete Assign any content to an existing admin before deleting.
  3. Trace how it was created:
  4. Was it via WP admin UI? (Someone with existing admin access created it.)
  5. Was it via REST API? Check rest.request signals around the same timestamp.
  6. Was it via a plugin's registration form? Review installed plugins.
  7. Audit all admin accounts. Remove any that are no longer needed.
  8. Check for malware using a scanning plugin (e.g., Wordfence, Sucuri) — automated account creation often indicates a compromised plugin or theme.

When to safely ignore

If your team intentionally created a new admin account and the actor and email in the payload match a known team member, no action is required.

Signal reference

{
  "event_type": "wp.user",
  "payload": {
    "type": "user_registered",
    "user_id": 88,
    "user_login": "wp-backup-user",
    "user_email": "[email protected]",
    "is_admin": true
  }
}