[wp-trac] [WordPress Trac] #43936: Settings: Warn when open registration and new user default is privileged

WordPress Trac noreply at wordpress.org
Sun Mar 10 20:51:08 UTC 2024 

#43936: Settings: Warn when open registration and new user default is privileged
---------------------------------------+-----------------------------
 Reporter:  kraftbj                    |       Owner:  audrasjb
     Type:  feature request            |      Status:  accepted
 Priority:  normal                     |   Milestone:  6.6
Component:  Security                   |     Version:
 Severity:  normal                     |  Resolution:
 Keywords:  has-patch needs-user-docs  |     Focuses:  administration
---------------------------------------+-----------------------------

Comment (by ottok):

 Thanks @zodiac1978 for quoting me and others recommending to simply
 **disable WordPress from having 'administrator' as the default role under
 any circumstances**.

 This "feature" is only being used by bad actors. For the past 6 years I
 have heard about exactly zero cases where it would make any sense at all
 to have new users register as administrators by default, but many cases
 when attackers used this.

 There are so many user friendly ways to grant users the administrator role
 - there is no need to keep this "hole" open for the theoretical case that
 some site somewhere once would have a legit use case.

 I have spoken at many WordCamps about this issue and shown real-world
 cases when attackers specifically use this vulnerability/configuration
 error to hack sites. See for example https://wordpress.tv/2019/06/10/otto-
 keka%cc%88la%cc%88inen-how-to-investigate-and-recover-from-a-security-
 breach-real-life-experiences-with-wordpress/ (explanation about this
 setting is 20 minutes in the presentation).

 This security vulnerability has been in WordPress for decades, and this
 bug report alone has been open and bike-shedded for 6 years.

 I recommend escalating this to the leadership of WordPress
 (@matt/@nbachiyski/@aaroncampbell?) and get closure on it ASAP to stop
 more sites from being breached due to this.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/43936#comment:48>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list