We have encountered additional administrator accounts on clients websites that no one seems to have created or can account for. As part of a WordPress Security Maintenance check the following needs to be done, at minimum:
- Remove all unaccounted for admin accounts – restrict it to one or two
- If feasible whitelist yours and the clients static IPs
- Change the default path to the admin panel
- Maintain an access log of all logins to the admin panel.
- Blacklist IPs that repeatedly attempt to gain unauthorised access.
- Enforce a strong password policy
- Add Two Factor authentication