This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening
Ultimate Member is a free WordPress plugin that makes it extremely easy to create powerful online communities and beautiful user profiles with WordPress. I also a big fans of Ultimate Member, recently four of my sites used the WordPress plugin ‘Ultimate Member’ and The7 theme. This hack causes websites to redirect to URLs such as utroro[.]com, murieh[.]space, and unverf[.]com. This hack can also display fake CAPTCHA images which ask you to click “Allow” in your browser’s notification area.
Worst Of All, this PHP scripts will attack other sites via this server (Amazon AWS Abuse Team reported this issue to me).
I researched this issue in Google, I’m not the only one! There are around 5500 estimated infected websites with one of the scripts
How to define whether my sites was attacked or not?
- Your sites will keeping redirect to others website (e.g. Simple Popup Let Your Customers/Readers click the captcha)
- Your site works as normal, but your server are sending attack traffic to others
- There are unknown PHP files in public_html and media folders
wp-super-cache.php (Fake Cache Files)
How to Fix the Issue?
Wordfence Scan and Firewall
If you can access wordpress dashboard, please install Wordfence plugin and scan full site.
If you use Cpanel, please enable Hotlink Protection
MOST IMPORTANTLY STEP – REMOVE ULTIMATE MEMBER FROM YOUR SITE!
If you still want keep ultimate member, delete all PHP files in subdirectories under wp-content/uploads/ultimatemember/temp/ (disable execution of PHP files in this folder)