Last week we received an email from our WordPress saying that the admin email got changed to admin@example.com
By checking the logs using the WP Activity Log plugin, I can see that the action was done by the ‘System’ user from the IP 185.212.131.78. Something to note: it doesn’t seem to be a valid user, any other record on the logs is showing the actual user that performed the action.
Of course that IP is already blocked, now I’m wondering how somebody managed to change a system setting remotely without having a valid account.
Does anybody have any clue on what happened?
Running WordPress 5.8.2, all the plugins updated