What’s going on? Short answer – your WordPress account has been hacked.
More than likely you have been running an old version (ie not the current one) and you have succumbed to an exploit.
The two telling signs is that you have two administrator users (one that ou cannot see), and that your permalink structure has changed. There are other things as well but they are the two main ones.
More detailed discussion can be read about it here.
First and foremost, you should be making sure you have a backup of all your files and SQL database (it should be a regular thing anyway!) before making any changes.
Note: All care but no responsibility is taken with the accuracy of this post.
To find the hidden user, go to the /wp-admin/users.php page and click the link near the top of the page to view only Administrators. The page will not show the hidden administrator, but you can “view source” of this page, and you’ll find the additional username somewhere in the HTML. The key thing to find is the user id, which then can be used with the following URL (substituting the hacker’s user id for xx):
Once you’re in the page to edit the user, you can change its role back to ‘Subscriber’ and delete the bogus ‘first name’ field. (Also you’ll have to insert an email address so that you can save your changes – just enter any old email address) After saving the changes, return to the normal user list, and select this user and delete it.
Upgrade your WordPress to the latest version, and don’t forget to change your permalink structure. I would also suggest changing your admin password, and having a read of this page to consider other actions to secure your wordpress install.