Update: I opened PHPmyAdmin and was able to see their username and email. I deleted them and will change my passwords. But what else should I do? How do I protect my site?

Thanks

And they actually deleted my Wordfence plugin!

Check the users, change passwords for all users.
Backup now and compare your wp-config.php file with the original (you do have a copy, right?)
If your WP site is hosted where you have CP, use the File Manager to find any files with recent dates and make sure they have not been altered. Again, backup is handy for that. Inspect the settings in PHPmyAdmin to be sure they match your records.

There are plenty of small steps to take to help secure a WP site:
The best way to protect your site is to have secure passwords.
You should also chmod file permissions so that sensitive files are not publicly accessible. See [codex.wordpress.org...]
It helps to alter your sql prefix also so they don't use the default wp- prefix.
Check the Wordpress Vulnerabilty Database to check that your plugins are secure, vulnerable plugins are tracked and listed in the database: [wpvulndb.com...]

Thanks for that! Following your instructions, I found that there is a new folder in my plugins directory in cPanel. It is called login- protect-ninja and it has one php file. It appears to be a plugin I never installed. It also doesn't show up in my WP dashboard. I can only see it through cPanel. Inside the file there is some php (I am not good enough to say if it's legit). The head of the file says:

Plugin Name: Wordpress Login Protect [Brute Force]
Description: Protects your website against brute force login attacks using Advanced Security Techniques

I am deleting this. Very strange!

I use a captcha on my login page to discourage automated login scripts. It does help to lower the server load if it doesn't get an extra 300 hits an hour. The Wordpress site offers a pretty full list of ways to make your install more secure: [codex.wordpress.org...]

Most FTP programs can also list files by date so that would be another way to check in case your host did not use CP. I would check back frequently in case there is a back door or a vulnerable plugin you might have missed. WordPress.org reminds us that no amount of security steps can completely eliminate all risks. If some download has planted a keylogger on your computer, they will have all the latest login information. Keeping your computer free of malware makes your logins safer.

I was going to suggest the same thing not2easy suggested. Go into our FTP program, log in to your server, then click on the tab for dates- you're looking for the Last Modified date. Go into every folder and see the last modified date.

Here's the important part:
Some files do not belong in your WP install. The Modified Date will show you when it was last modified or added. So if it's a file that didn't previously exist in there then delete it. Compare your files to a previous full download back up you may have. (always download a backup via FTP once in awhile, even if you have a daily backup plugin). If you don't have a backup then download a fresh copy of WP and use that to compare for what file belongs and needs to be replaced with a fresh copy and which file does not belong.

Additionally, identify the point of entry. Is your server software completely patched? Are you using the latest version of PHP?

Thanks everyone! I am using cPanel to sort by dates. I am not sure how they entered though, but it must be through WP because if they entered through server, they would just delete Wordfence before it could tell me about their login.

I have Wordpress file editing disabled, so maybe after all they couldn't do anything other than attempting to install some weird plugin. I am not really sure what happened.

My host, A Small Orange, was notified about the issue, but they haven't replied yet. The site behaves totally normal. No traffic drops, no weird ads. My ads are earning me money. I will be still investigating though.

Just wonder how could they create a username with administrative access. That's the question....

Also I have their email address that is hosted on a domain they own. Should I go and complain to their registrar or host?

ubound, certainly keep a close eye on that: They could be back if the hole has not been plugged.

The plugin may have given them access independent of the usual login.

It could have been a url injection, with new pages appearing, or links appearing on existing pages.

It's worth taking more frequent backup-ups for the time being.

Just wonder how could they create a username with administrative access.

A password with administrative credentials is just a database entry.

I am not sure how they entered though, but it must be through WP...

Not necessarily. WordFence is supposed to be protecting WP through known WP entries and that's very useful. But it may not be protecting you from vulnerabilities on another site hosted on the same server, it may not be protecting you from a vulnerability in your server's OS, it probably may not protect you from a poor password related to your server control panel. All a hacker needs is editing rights on your database and that can be achieved outside of WordPress.

A WP hack is not always due to WordPress itself. And if it got through the WordFence defences, then maybe you should be considering holes outside of WordPress (in fact, you should be if you haven't yet identified the entry point).

A WP hack is not always due to WordPress itself. And if it got through the WordFence defences, then maybe you should be considering holes outside of WordPress (in fact, you should be if you haven't yet identified the entry point).

Unfortunately it's not very obvious to me how to go about finding the point of entry. Not that I am totally ignorant, but I don't know enough about vulnerabilities. I did some "WordPress hardening" some years ago following instructions in "Digging into WordPress" book, which were basically same instructions WordPress has on their site. That's when I disabled file editing via WordPress dashboard. May be it saved me today? I dunno. Good thing this particular site is not my main site, and even now it works just fine so I am not panicking. Will try to figure this out!