Just to let you guys know, I was stupid enough to grant access to my dev site during lockdown to a plugin developer I’d trusted before on a previous project. Yesterday for some reason I thought to check the user member status and realised there was an additional admin I didn’t recognise. I went to delete the user but it re-appeared about 2 minutes later. I did some online research and checked the user table within the wp db via PHPMyAdmin. Sure enough there was the same admin I’d just deleted. I tried changing the email and then deleting but it re-appeared again after 2 minutes. I then thought to change the user role and remove all privileges while I investigated further. This held. I also installed the iThemes Security plugin on the recommendation of a WordPress support article. I managed to block all access to the dev site apart from myself and this also appeared to work as I then started to notice multiple failed login attempts (I now have 350 Brute Force attempts and IPs logged).
I then thought to download all WordPress files and perform a text search for this user’s details and bingo! I found an add action entry placed at the bottom of the generatepress main theme’s functions.php. Once removed I managed to permanently delete the admin in question.
Thought to share this experience just in case anyone else experiences the same problem.