Works, but I don’t trust it anymore

*edit to original review.

There were no backdoors after the previous hacks. The vulnerability came directly from the UM plugin. The really serious vulnerabilities were patched since version 2.0.46, but just look at the changelogs. Vulnerability patches in just about every release going back months.

*original review:

Ever since the vulnerability that got introduced by this plugin late in 2018 we have had problems. Even though the original vulnerability is patched, there is probably still an old back door somewhere that we’re struggling to pin down.

It has become a game of cat and mouse between some really nasty (I mean really nasty) hackers who keep getting in and adding shell scripts before trying to upload their own directories onto the server (above the WP installation but in the public directory).

The most recent hack they managed to inject 5 directories with links to the most awful sites, sickening.

We dealt with it, hardened the site, reinstalled things, changed passwords, the whole shebang. We have malware scanning in place using reputable companies, and the problem is under control for the time being.. but.. but!

Someone is still getting in with some kind of advanced tool. We catch them, remove the fake null admin account, delete the shell if they manage to get that far before they are caught, but they keep on hammering away (no doubt with a bot).

The problem is that after that first breach, the one that happened because of the vulnerability in UM from late 2018, there are now over 100K hits a week from the link farms that still have our site listed as a place to go to find whatever smut they think is there. We have become a target.

There is nothing you can do about this other than change the domain name. Because we are now a target, the hackers are still managing to find ways to get through on occasion, and I just can’t shake the feeling that the weakness is still in this UM plugin.

I feel annoyed and am venting my frustration, and if I had detailed evidence of how they are doing it I would do the correct thing and do a responsible disclosure to the developers, although the main breach that happened in 2018 was reportedly disclosed responsibly to them on more than one occasion by known security analysts, and they dragged their heels and didn’t act until it was too late.

We are in process of rebuilding the site (it has 1000’s of members) so that we can dump UM.

I used to be quite a fan, but I cannot recommend this plugin.