Thank you Ray. I do have the option for the new member to upload a photo. Often the members don't upload a photo anyway so I could eliminate that field and have them email it to me.
How can I track down the source of the vulnerability. I talked to HostGator and was told they couldn't tell me how the hacker entered the site. I thought they should be able to tell that. Do you think I should ask again or is there some other way I can determine this?
This is the first time (as far as I can remember) that I've had a site hacked in 17 years of making websites. It was a minor hack and I had the pages removed and site fixed in about 10 minutes. I just don't know a lot about hackers and how they gain access because I haven't had to deal with it. A very good thing!