For as long as I can remember, it’s been possible to configure WordPress like this:
In essence, this combination of settings translates to: “Please take my site. No seriously, it’s yours.“. Allowing new users to sign up, and then making them site administrators allows them to completely take over your site.
Administrators in WordPress can remove users (including you), install plugins, edit theme and plugin files, and much more. Once an attacker has an admin account, you’re screwed.
Recent security vulnerabilities
In the last year, there have been a couple of 3rd party plugin vulnerabilities that allowed unauthorized visitors to change WordPress settings. Including the ones pictured above. While that should never be possible, the fact that WordPress allows this combination of settings, and adds the new admin users made the impact of these vulnerabilities much, much worse.
There’s already a Trac ticket that addresses this, but it’s not getting a lot of attention: https://core.trac.wordpress.org/ticket/43936 .
Here’s what I think WordPress should do:
- Remove the “administrator” option from the default role dropdown menu.
- Warn site administrators if this combination of setting is present in existing installs.
- Check before adding new users, and never add a site administrator through the signup form.
What do you think? Is there a use case I’m missing where allowing admin registrations actually makes sense? Or do you agree this should be fixed as soon as possible to make WordPress more secure?