if($last_scanned_capability===$cap){// if this was the last capability, skip this and proceed the next loop.
$proceed=true;
continue;
}
}
if(!$proceed){
continue;
}
$args=array(
'capability'=>$cap,
'role__not_in'=>array('administrator'),
'fields'=>'ids',
);
$wp_user_query=newWP_User_Query($args);
$count_users=$wp_user_query->get_total();
if($count_users<=0){
$message='<strong>`'.esc_html($cap).'`</strong> <span style="color:green">'.esc_html__(' is safe ').'</span>';
}else{
$user_affected=true;
$message='<strong>`'.esc_html($cap).'`</strong> <span style="color:red">'.sprintf(/* translators: has affected %d user account */_n('has affected %d user account.',' has affected %d user accounts.',$count_users,'ultimate-member'),$count_users).'</span>';
$content.=$br.__('We have found ','ultimate-member').'<strong style="color:red;">'./* translators: %s suspcious account */sprintf(_n('%s suspcious account','%s suspcious accounts',$suspicious_accounts_count,'ultimate-member'),$suspicious_accounts_count).'</strong> '.__('created on your site via Ultimate Member Forms.','ultimate-member');
$content.=$br.__('We\'ve temporarily disabled the suspcious account(s) for you to <strong>take actions</strong>.','ultimate-member');
$content.=$br.$br.__('Also, We\'ve found ','ultimate-member').'<strong style="color:red;">'./* translators: %s suspcious account */sprintf(_n('%s account','%s accounts',$might_affected_users->get_total(),'ultimate-member'),$might_affected_users->get_total()).'</strong> '.sprintf(_n('created on %s when the suspicious account was created.','created on %s when the suspicious accounts were created.',$suspicious_accounts_count,'ultimate-member'),$date_registered);
$content.=$br.'<div style="padding:10px; border:1px solid #ccc;"><strong style="color:red">WARNING:</strong> Ensure that you\'ve created a full backup of your site as your restoration point before changing anything on your site with our recommendations.</div>';
$content.=$br.'1. Please temporarily lock all your active Register forms. <a href="'.esc_attr($lock_register_forms_url).'" target="_blank">Click here to lock them now.</a> You can unblock the Register forms later. Just go to Ultimate Member > Settings > Secure > uncheck the option "Lock All Register Forms".';
$content.='2. Review all suspicious accounts and delete them completely. <a href="'.esc_attr($suspicious_accounts_url).'" target="_blank">Click here to review accounts.</a>';
$content.='4. If accounts are suspicious to you, please destroy all user sessions to logout active users on your site. <a href="'.esc_attr($destroy_all_sessions_url).'" target="_blanl">Click here to Destroy Sessions now</a>';
$content.='4. Run a complete scan on your site using third-party Security plugins such as <a target="_blank" href="'.esc_attr(admin_url('plugin-install.php?s=Jetpack%2520Protect%2520WP%2520Scan&tab=search&type=term')).'">WPScan/Jetpack Protect or WordFence Security</a>.';
$content.='5. Force users to Reset their Passwords. <a target="_blank" href="'.esc_attr($reset_pass_sessions_url).'">Click here to enable this option</a>. When this option is enabled, users will be asked to reset their passwords(one-time) on the next login in the UM Login form.';
$content.=$br.$br;
$content.='6. Once your site is secured, please create or enable Daily Backups of your server/site. You can contact your hosting provider to assist you on this matter.';
$content.=$br.$br.'<strong>Review & Resolve Issues with Site Health Check tool</strong>';
$content.=$br.__('Site Health is a tool in WordPress that helps you monitor how your site is doing. It shows critical information about your WordPress configuration and items that require your attention.','ultimate-member');
if($site_health_issues_total>0){
$content.=$br.$flag.sprintf(/* translators: %d issue in the Site Health status */_n('There\s %d issue in the Site Health status','There are %d issues in the Site Health status',$site_health_issues_total),$site_health_issues_total);
$content.=': <a target="_blank" href="'.admin_url('site-health.php').'">Review Site Health Status</a>';
}else{
$content.=$br.$check.__('There are no issues found in the Site Health status','ultimate-member');
$content.=$br.$flag.'The default WordPress Register form is enabled. If you\'re getting Spam User Registrations, we recommend that you enable a Challenge-Response plugin such as our <a href="https://wordpress.org/plugins/um-recaptcha/" target="_blank">Ultimate Member - ReCaptcha</a> extension.';
$content.=$br.$flag.'You are not blocking email addresses or disposable email domains that are mostly used for Spam Account Registrations. You can get the list of disposable email domains from <a href="https://github.com/champsupertramp/disposable-email-domains/blob/master/um_disposable_email_blocklist.txt" target="_blank">this repository</a> and then add them to <a target="_blank" href="'.esc_attr('admin.php?page=um_options&tab=access§ion=other').'">Blocked Email Addresses</a> options.';
$content.=$br;
}else{
$content.=$br.'The default WordPress Register form is enabled. If you\'re getting Spam User Registrations, we recommend that you enable a Challenge-Response plugin such as our <a href="https://wordpress.org/plugins/um-recaptcha/" target="_blank">Ultimate Member - ReCaptcha</a> extension.';
$content.=$br.$flag.'We have found '.sprintf(/* translators: */_n(' %d user account',' %d user accounts ',$count_users,'ultimate-member'),$count_users);
$content.=sprintf(/* translators: */_n(' affected by %d capability selected in the Banned Administrative Capabilities.',' affected by one of the %d capabilities selected in the Banned Administrative Capabilities.',$count_flagged_caps,'ultimate-member'),$count_flagged_caps);
$content.=$br.$br.'The flagged capabilities are related to the following roles: '.$br.' - '.implode('<br/> - ',array_values($affected_roles));
$content.=$br.$br.'The affected user accounts will be flagged as suspicious when they update their Profile/Account. If you are not using these capabilities, you may remove them from the roles in the <a target="_blank" href="'.admin_url('admin.php?page=um_roles').'">User Role settings</a>. If the roles are not created via Ultimate Member > User Roles, you can use a <a href="'.admin_url('plugin-install.php?s=User%2520Role%2520Editor%2520WordPress%2520&tab=search&type=term').'" target="_blank">third-party plugin</a> to modify the role capability.';
$content.=$br.$br.'We strongly recommend that you never assign roles with the same capabilities as your administrators for your members/users and that may allow them to access the admin-side features and functionalities of your WordPress site.';
$content.=$br.$flag.'We recommend that you install and enable <a href="https://wordpress.org/plugins/um-recaptcha/" target="_blank">ReCaptcha</a> to your Reset Password, Login & Register forms.';
$content.=$br.$flag.'Ultimate Member ReCaptcha is installed but not activated.';
}else{
$content.=$br.$flag.'We recommend that you install and enable <a href="https://wordpress.org/plugins/um-recaptcha/" target="_blank">ReCaptcha</a> to Login & Register forms.';
$content.=$br.$br.'<strong>Keep Themes & Plugins up to date.</strong>';
$content.=$br.__('It is important that you update your themes/plugins if the theme/plugin creators update is aimed at fixing security, bug and vulnerability issues. It is not a good idea to ignore available updates as this may give hackers an advantage when trying to access your website.','ultimate-member');
$content.=$br.$br.$flag.sprintf(/* translators: */_n('There\'s %d plugin that requires an update.','There are %d plugins that require updates',count($update_plugins->response),'ultimate-member'),count($update_plugins->response)).' <a target="_blank" href="'.admin_url('update-core.php').'">Update Plugins Now</a>';
$content.=$br.$br.$flag.sprintf(/* translators: */_n('There\'s %d theme that requires an update.','There are %d themes that require updates',count($update_plugins->response),'ultimate-member'),count($update_plugins->response)).' <a target="_blank" href="'.admin_url('update-core.php').'">Update Themes Now</a>';
$content.=$br.$br.$flag.__('There\'s a new version of WordPress.','ultimate-member').'<a target="_blank" href="'.admin_url('update-core.php').'">Update WordPress Now</a>';
}else{
$content.=$br.$br.$check.__('You\'re using the latest version of WordPress','ultimate-member').'('.esc_attr($wp_version).')';
}
$content.=$br.$br.__('That\'s all. If you have any recommendation on how to secure your site or have questions, please contact us on our <a href="https://ultimatemember.com/feedback/" target="_blank">feedback page</a>. ','ultimate-member');
