Ultimate member 2.6.7 and still hacked
-
I immediately installed 2.6.7 when it became available a few weeks ago, but when I woke up this morning (14th of july) 2 new accounts were created on my website one with admin rights and one normal user one! It is a closed site and I am the only person who can create accounts (normally) . Luckily I’m also monitoring the change and creation of accounts, so I was informed right away.
I did not remove the accounts right away, but demoted the role of the users in question and changed their password just in case until I further checked out the rest of the website.
i think the best way now to move forward is to recreate the site from backup, since I do not know what happened meanwhile to the website.
Please advice!
-
I’m not a professional but maybe you can add a restriction in the code? I might do the same with my site using Ultimate Member. I will only have 1 or 2 admins and not planning to make more. If I do though, I’ll just edit the code maybe.
ChatGPT gave me this code. I would like to ask the devs if this code will help or not? Thanks.
function restrict_admin_access() { // Get the current user $user = wp_get_current_user(); // Check if the user is logged in and their email is not allowed if (is_user_logged_in() && !in_array($user->user_email, array('[email protected]', '[email protected]'))) { wp_logout(); // Log out the user wp_safe_redirect(home_url()); // Redirect to the homepage or another appropriate page exit(); } } add_action('init', 'restrict_admin_access');Edit: This code will still let malicious attackers create admin accounts, but it will prevent them from using the admin page I hope….
- The topic ‘Ultimate member 2.6.7 and still hacked’ is closed to new replies.
