Title: !DANGER! Security issue
Last modified: August 8, 2018

---

# !DANGER! Security issue

 *  Resolved [jave.web](https://wordpress.org/support/users/javeweb/)
 * (@javeweb)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/)
 * I got now 2 websites with PHP malware,
    plugins that are on both are: Ultimate
   member, ACF, WPML and WP Migrate DB, however the latter 3 are on other sites 
   that work fine.
 * Also same behaviour is that
 * `/wp-content/uploads/ultimatemember/temp`
 * this folder contains suspicious folders and PHP files in them, attacks are often
   more site-spread, so only suspect remains this plugin.
 * Can you please look into this issue?
    Doesn’t your file upload have a security
   hole somewhere?
 * //USING LATEST ULTIMATE MEMBER, LATEST WP//
 * Also your check_file_upload() method checks extension, not a real file type! 
   Which is an issue itself…
    -  This topic was modified 7 years, 11 months ago by [jave.web](https://wordpress.org/support/users/javeweb/).

Viewing 10 replies - 1 through 10 (of 10 total)

 *  [Stefan Seidner-Britting](https://wordpress.org/support/users/stefahn/)
 * (@stefahn)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/#post-10571230)
 * This affects other UM users too, see [https://wordpress.org/support/topic/malware-files-being-uploaded/](https://wordpress.org/support/topic/malware-files-being-uploaded/)
 * Hope this will get fixed very soon.
 *  Thread Starter [jave.web](https://wordpress.org/support/users/javeweb/)
 * (@javeweb)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/#post-10571949)
 * [@stefahn](https://wordpress.org/support/users/stefahn/) true, and it’s already
   a week with no fix or reply – I’ve contacted WP plugin team – I hope they will
   speed up the isssue fixing 🙂
 *  [chrisdaswiss](https://wordpress.org/support/users/chrisdaswiss/)
 * (@chrisdaswiss)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/#post-10574127)
 * We have the same problem with our ultimate member installation. Files being uploaded
   to uploads/ultimatemember/temp.
 * WPvulndb.com: [https://wpvulndb.com/vulnerabilities/9110](https://wpvulndb.com/vulnerabilities/9110)
 * I advise to turn off php execution in the /uploads/ folder. Add this to a .htaccess
   file and upload it to wp-content/uploads/:
 * # Kill PHP Execution
    <Files ~ “\.ph(?:p[345]?|t|tml)$”> deny from all </Files
   >
 *  [Presskopp](https://wordpress.org/support/users/presskopp/)
 * (@presskopp)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/#post-10574550)
 * What about
 *     ```
       <IfModule mod_rewrite.c>
       RewriteEngine On
       RewriteRule \php[0-9]?[0-9]?$ - [F]
       </IfModule>
       ```
   
 * will grab any .php52 etc.
 * see also [https://core.trac.wordpress.org/ticket/21981](https://core.trac.wordpress.org/ticket/21981)
 *  Thread Starter [jave.web](https://wordpress.org/support/users/javeweb/)
 * (@javeweb)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/#post-10574575)
 * [@chrisdaswiss](https://wordpress.org/support/users/chrisdaswiss/) & [@endurox](https://wordpress.org/support/users/endurox/):
   thank you for your suggestions
 * Both codes work as expected
    1. [@endurox](https://wordpress.org/support/users/endurox/) code is targeted on
       turning off the php completely – which is probably the most flexible solution
    2. [@chrisdaswiss](https://wordpress.org/support/users/chrisdaswiss/) code denies
       calling files with specific extensions -NOTE! if you copy code from here – rewrite
       the double quotes with the “code” double quotes!
 * You can combine both solutions to be extra-sure 🙂
 *  Plugin Support [Ultimate Member Support](https://wordpress.org/support/users/ultimatemembersupport/)
 * (@ultimatemembersupport)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/#post-10575091)
 * Hi [@javeweb](https://wordpress.org/support/users/javeweb/),
 * The Ultimate member 2.0.22 with security fixes has been released, please update
   to the latest version ASAP.
 * Thanks.
 *  Thread Starter [jave.web](https://wordpress.org/support/users/javeweb/)
 * (@javeweb)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/#post-10575194)
 * Thank you for your work.
 *  [vichilino](https://wordpress.org/support/users/vichilino/)
 * (@vichilino)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/#post-10580395)
 * [@ultimatemembersupport](https://wordpress.org/support/users/ultimatemembersupport/)
   Will these updates get rid of possible malware code within the website body? 
   Im not too good about coding.
 *  Thread Starter [jave.web](https://wordpress.org/support/users/javeweb/)
 * (@javeweb)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/#post-10580943)
 * [@vichilino](https://wordpress.org/support/users/vichilino/) no plugin update
   will ever clean an existing malware … **You have to do it yourself**, **or** 
   use a plugin to do it for you. One of the most popular security plugin with scanning
   in a free version is Wordfence Security – [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/)
   it also provides autorepair and autodelete (so not just finding the malware but
   also cleaning the malware), first solve the security issue, than scan for malware
   and remove it – I recommend to repeat the scan&remove untill there is no dangerous
   code 🙂
 *  [Andrew Nevins](https://wordpress.org/support/users/anevins/)
 * (@anevins)
 * WCLDN 2018 Contributor | Volunteer support
 * [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/#post-10592531)
 * Get a fresh cup of coffee, take a deep breath and carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked).
   When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress).
 * If you’re unable to clean your site(s) successfully, there are reputable organizations
   that can clean your sites for you. Sucuri and Wordfence are a couple.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘!DANGER! Security issue’ is closed to new replies.

 * ![](https://ps.w.org/ultimate-member/assets/icon-256x256.png?rev=3160947)
 * [Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin](https://wordpress.org/plugins/ultimate-member/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/ultimate-member/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/ultimate-member/)
 * [Active Topics](https://wordpress.org/support/plugin/ultimate-member/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/ultimate-member/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/ultimate-member/reviews/)

## Tags

 * [security hole](https://wordpress.org/support/topic-tag/security-hole/)

 * 10 replies
 * 7 participants
 * Last reply from: [Andrew Nevins](https://wordpress.org/support/users/anevins/)
 * Last activity: [7 years, 11 months ago](https://wordpress.org/support/topic/danger-security-issue/#post-10592531)
 * Status: resolved