The other day, my friend (let’s call her Nancy) received an email from WordPress informing her that a user’s password had been changed, but she doesn’t have any users. At first glance, it looked like a potential security incident.
There was just one problem.
Nancy hadn’t touched the site in years.
The blog lives on a subdomain of one of my websites and, like many personal projects, it was created with good intentions and then mostly forgotten. When the email arrived, neither of us recognized the username mentioned in the alert.
As someone who has been studying cybersecurity and SOC (Security Operations Center) work, I decided to treat it like a real incident investigation.
Step 1: Identify the User
The email stated that the password had been changed for a user who had no business on a personal blog.
Nancy had never heard of the account.
That immediately raised a red flag. Unknown accounts on a website are never something you want to ignore.
Step 2: Investigate Before Taking Action
Rather than deleting things immediately, I logged into the hosting account and began gathering information. I was also able to log into her account as an administrator.
The first thing I checked was the list of WordPress users, and I noticed there was actually a long list of subscribers, and the password change was for the newest.
Nancy was still the only Administrator.
Step 3: Check Permissions
The answer was hidden in WordPress Settings.
The option labeled “Anyone can register” was enabled.
The site had been quietly accepting registrations from anyone on the internet for years, and the spambots had simply found the registration form and created accounts.
The account that triggered the email was just the latest one.
Why Would Bots Register?
Many people assume that every strange account is the result of a targeted attack.
Most of the time it isn’t.
Bots crawl the internet looking for WordPress sites with open registration enabled.
They create accounts automatically because:
• They hope to post spam later.
• They hope a future vulnerability will allow privilege escalation.
• They collect active websites for future campaigns.
• They are simply programmed to register wherever they can.
The scary part is that most site owners never notice.
The Fix
Once I confirmed that Nancy was still the only Administrator, I took a few simple steps.
• Disabled public registration.
• Deleted roughly 75 spam Subscriber accounts.
• Verified WordPress was updated.
• Verified plugins were updated.
• Confirmed there were no additional administrative accounts.
The entire incident turned out not to be a compromise at all.
It was a configuration issue.
If you run a WordPress site and do not actively need public registration, check this setting:
Settings → General → Membership → Anyone Can Register
If it is enabled and you don’t need it, turn it off. You may discover that you’ve been collecting unwanted users for years.