Our website keeps getting hacked and we just found out that people can use a script called c99shell which can disguise this php file as an image and be uploaded.

We got our friend to test out this hacked-script on our site to find out what is happening. And it appears that if he disguises the PHP file as an image then he can upload it as a background or an avatar, if he uploads as an avatar the outcome is that all of our avatars disappear. 

If he uploads it as a background then we get a backdoor viruses on our PC's.

Now we are wondering where the directory to editing Avatar Uploading and picture uploading and I want to find a way to prevent it on the customprofile plugin that was made by Paul Cuffe.