Due to a recent security incident, sites using our plugin have been vulnerable to hacking and malware injection that targets login inputs. To address this, we recommend resetting all user passwords and securing your site using the new security features. These features include scanning for suspicious registered accounts, banning administrative capabilities for site subscribers/members, and allowing administrators to force all users to reset their passwords. These settings are in  wp-admin > Ultimate Member > Settings > Advanced > Security.

This setting flags suspicious users who inject or modify wp_capabilities and wp_user_level. It checks the integrity of the capabilities of users who register or update their profiles or accounts.

Example:

1. Create a new user role called "Customer A" in wp-admin > Ultimate Member > User Roles > Add New button and scroll down to set the user role's WP Capabilities to import, export, and read.

Note: Secure these capabilities if they are not intended for members of your site, except for administrators. For example, if "Customer A" has a capability on the banned list, users with this role will get flagged once they update their profile/account.

2. Create a new user in  wp-admin > Users > Add New, add the details of your user and assign the "Customer A" role. Click the " Add New User" button to save.

3. Go back to wp-admin > Ultimate Member > Settings > Advanced > Security> Banned Administrative Capabilities. The capabilities options in this setting include the default Administrator and Super Admin capabilities. If someone attempts to inject capabilities into the Account, Profile, or Register form submissions, they will be flagged with this option. The manage_options, promote_users, and level_10 capabilities are locked to ensure no users are created with these capabilities.

4. Open a new browser, log in to your site using the new user's account, and edit the user's profile. Ensure that you have made changes before you update the profile.

5. Return to the browser with your admin account logged in and check  wp-admin > Users to see if the user's status has changed and been flagged.

6. If the status did not change and the user was not flagged, navigate back to  wp-admin > Ultimate Member > Settings > Advanced > Security> Banned Administrative Capabilities and check the import capability.

The listed capabilities are based on the administrator role. If necessary, uncheck specific capabilities when third-party plugins are using them or if your site has unique requirements. For the banned option, you may stick with the three locked capabilities: manage_options, promote_users, and level_10.

7. Return to the browser where your test account is logged in, and repeat the steps to edit and update the user's profile. After updating the profile, the account will automatically log out and display the message: "Your account has been disabled."

8. Check in  wp-admin > Users to confirm the role was flagged, the account status was changed, and the user received a flagged message.

This setting scans existing users with the meta_keys wp_user_level and wp_capabilities from registration forms. It detects the number of user accounts registered on the same date as the suspicious account.

Scan Results:

Enabling this setting prevents all users from registering with Ultimate Member on your site.

Users attempting to register will be redirected to login forms with the message: "Important: This site is currently under maintenance. Please check back soon."

Enabling this setting forces users to reset their passwords (one-time) and prevents them from using old passwords.

User Experience:

Note: We recommend enabling the Require a Strong Password option in wp-admin > Ultimate Member > Settings > General > Users.

Clicking the " Log-out user(n)" button logs out all users (except yourself) and forces them to reset passwords if "Display Login form notice to reset passwords" is enabled

If this setting is enabled, anyone attempting to inject capabilities into an account, profile, or register form submissions will be banned.

This setting appears if the above setting or the  ban for administrative capabilities is enabled. Admins will be notified of flagged accounts with three schedule options:

1. Send Immediately

2. Hourly: If multiple accounts are flagged within an hour, an email is sent after an hour.

3. Daily: If multiple accounts are flagged within a day, an email is sent after a day.

This feature allows you to add and list reliable hosts, ensuring users can be safely redirected to a third-party server if necessary. It validates the host URL: if the host is listed as allowed, the user will be redirected. Redirection will only occur if the host is on the allowed list. If the host is not on the allowed list, the user will not be redirected to the untrusted host and will instead be redirected to your site's home page.

This feature flags a user and blocks the account, registration, and profile forms if the user attempts to inject the wp_capabilities and wp_user_level meta keys. This was a reported vulnerability prior to version 2.6.7.

In  wp-admin > Users, the status will show as "Membership Rejected/Inactive" and "Blocked for Suspicious Activity" if the user is suspected of injecting the mentioned meta keys.

You can restore the account by clicking the Restore Account link under the account status. This action will restore the following:

• Account Status
• User Role
• Related Capabilities of the Role
• Notification Email

If you go to  wp-admin > Ultimate Member > Settings > Email, you'll find the "Secure: Suspicious Account Activity" email. Click on the "Manage" button to access the email settings.

When this email is enabled, all administrators will receive a notification about the suspicious activity, including details of the suspicious accounts.