Security Feature

Due to the security incident, sites that are using our plugin have been vulnerable to being hacked or injected with malware that sniffs login inputs, so we recommend that you reset all your users passwords and secure your site with this new security feature. This feature scans for suspicious registered accounts, bans the usage of administrative capabilities to site subscribers/members, allows the website administrators to force all users to reset their passwords, preventing users from logging-in using their old passwords that may have been exposed. You can find these settings in wp-admin>Ultimate Member> Settings> Secure.

Secure Ultimate Member Settings

Banned Administrative Capabilities

The purpose of this setting is to flag any suspicious users that inject or modify wp_capabilities and wp_user_level, in case this user bypasses the form validation. This feature has a mechanism to check the integrity of the capabilities of the current user who has registered or updated their profile/account.
For example, Create a New User Role called "Customer A" in wp-admin> Ultimate Member> User Roles> Add new and set the user role's WP Capabilities to "import", "export" and "read".

Note: Secure these capabilities if you're not using the roles for members of your site except for the admin. For example, if one of your user roles, let's say "customer A," has a capability that is on the banned list, it is possible that the users with this role (Customer A) will get flagged once they update their profile/account.
Once you've created this "Customer A" role, create a new user in wp-admin>Users>Add new and assign the "Customer A" role. Then click on the Add New User button to save.
Now go back to wp-admin>Ultimate Member > Settings > Secure> Band Administrative Capabilities. By default, all the Secure settings are selected, in this example try to only select the "create_sites", then uncheck the two settings below so it won't interfere, then save the settings:
- Lock All Register Forms
- Display Login form notice to reset passwords
Open a new browser, and login to your site using the new user's account. Go to the user's profile form and edit the profile make sure to make changes, then update the profile.
Now go back to the other browser where your admin account is login in, and check in wp-admin>Users if the user's status has changed and been flagged.
If the status did not change and the user was not flagged, go to wp-admin>UM>Settings> Secure then check the "import" capability.
The listed capabilities added there are based on the administrator role. If necessary, uncheck the specific capabilities when third-party plugins are using it or your site has different cases. In the banned option, you may stick with those three locked capabilities; manage_options, promote_users, and level_10.
Now go back to the browser where your test account is logged in, repeat the steps again, and edit and update the user's profile. The account will automatically log out after you update the user profile; it will show a message that "Your account has been disabled."
Then go back to the other browser with your admin account and check in wp-admin>Users if the Role was flagged, the Account status was changed, and the user have a flagged message.

Scanner

This setting scans existing users with the meta_keys "wp_user_level" and "wp_capabilities" who have submitted registrations from the registration form, and it can detect the number of user accounts that registered on the same date as the suspicious account.
When you click on the "Scan now" button, it'll display the possible results:
- If No Suspicious Account is detected, it'll display a green circle with a white checkmark icon and the message: No suspicious accounts found. See an example image below:
- If a Suspicious Account is detected, it'll display a red flag icon with the message: Suspicious Account Detected, along with the number of suspicious accounts detected, it also notifies you that the account is temporarily disabled and the number of users who registered on the same date the suspicious account was created. See an example image below:
- If you scroll down from the results, you can see Ultimate Member's recommendations to secure the site and many more.

Lock All Register Forms

If enabled, this setting prevents all users from registering with Ultimate Member on your site.
If users try to submit registration in all Ultimate Member Register forms, they will be redirected to login forms with the message:
"Important: This site is currently under maintenance. Please check back soon."

Display Login form notice to reset passwords

If enabled, this setting enforces users to reset their passwords( one-time ) and prevent from entering old password.
If a user logs out and logs in again after the update, they will get this message:
Important: Your password has expired. This (one-time) change requires you to reset your password. Please click here to reset your password via Email.
When a user clicks on the password reset link in the Important Message, they are redirected to the password reset page, where they can obtain a password reset link.
If the user resets their password and enters the old password, the following error notice will appear: "Your new password cannot be same as old password." We recommend that you enable the Require a Strong Password option in WP Admin > Ultimate Member > Settings > General > Users.

Expire All Users Sessions

This setting will log out all users(except yourself) when the "Log-out user(n)" button is clicked and forces them to reset passwords when "Display Login form notice to reset passwords" is enabled/checked.

Enable ban for administrative capabilities

If enabled, anyone attempting to inject capabilities into Account, Profile, or Register form submissions will be banned.

Notify Administrators

This setting will only show if you have enabled the ban for administrative capabilities setting. If there are flagged accounts, the admins will get notified in 3 notification schedule options:
- Send Immediately
- Hourly -If multiple accounts have been flagged within an hour, the admin will receive an email(1) after an hour
- Daily - If multiple accounts have been flagged within a day, the admin will receive an email (1) after a day

Allowed hosts for safe redirect (one host per line)

This feature lets you add and list reliable hosts so that users may be safely routed to a third-party server if necessary. This option helps in host (URL) validation; if the host (URL) is listed as allowed, the user will be redirected. The redirection will occur only if the host is on the list of allowed hosts. If the host is not on the allowed list, redirection to the untrusted host will not proceed; instead, it'll be redirected to your site's home page.

Additional Feature

Blocked for suspicious activity

This feature flags a user and blocks the account, registration, and profile forms if the user tries to inject the wp_capabilities and wp_user_level meta keys. It is the reported vulnerability prior to 2.6.7.
In wp-admin>Users, you'll see in the Status that the membership is rejected and they're "Blocked for suspicious activity" if the user is suspected of injecting the meta keys mentioned above.
You can restore the account when you click on the "Restore Account" link under the account status. When this link is clicked the user it will restore the following:
- Account Status
- User Role
- Related Capabilities of the Role

Notification Email

If you go to wp-admin>Ultimate Member> Settings> Email, you'll find the Secure: Suspicious Account Activity email. Click on the gear icon to go to the email setting.
When this email is enabled, all admins with administrator roles will receive an email that informs them about the suspicious activity, including the suspicious accounts.