[wp-trac] [WordPress Trac] #43936: Settings: Warn when open registration and new user default is privileged
WordPress Trac
noreply at wordpress.org
Mon Apr 28 11:15:04 UTC 2025
#43936: Settings: Warn when open registration and new user default is privileged
-------------------------------------------------+-------------------------
Reporter: kraftbj | Owner: audrasjb
Type: feature request | Status: accepted
Priority: normal | Milestone: 6.9
Component: Security | Version:
Severity: normal | Resolution:
Keywords: needs-user-docs early 2nd-opinion | Focuses:
needs-testing-info | administration
-------------------------------------------------+-------------------------
Changes (by SirLouen):
* keywords: needs-user-docs changes-requested early => needs-user-docs
early 2nd-opinion needs-testing-info
Comment:
I'm going to bring this to a `dev-chat` because there has been a lot of
discussion but not many things settled down to get to a potential closure
and I feel that ultimately the bug scrubber of the moment will be forced
to choose something that could be suboptimal. So the idea is to bring more
voices and decide on consensus.
== Here is a Report Recap with all the positions discussed up to now
=== The problem
Privileged roles like Administrator and Editor can be set as default
roles. This can be a risk. The risk is presented in two forms:
- Accidentally set up by the user, hence a self-user protection is needed
- Hackers managing to set this, being a big security concern.
=== Position 1: The Self-User Protection
The original report suggested that a patch was needed to just inform the
user of this wrong decision. Just a notice, not a hindrance. Options
commented are:
1. Just a notice, like when you set a low-quality password
2. A health status check
3. A preemptive button to check if you are completely sure of this (like
when you choose to set a weak password)
=== Position 2: The Security Hole
Many reporters propose that there is no Use-Case for setting Administrator
(or even Editor) as the default role. Furthermore, some report that this
has been a major security concern because hackers like to switch this
default role to gain full access to the site. Options commented here are:
1. Completely removing the possibility to set a privileged default role
(Administrator/Editor) in the Admin Front End
2. Completely removing the possibility to set privilege default role by
any means
3. Now inside this position we can go further: Custom roles. Also removing
custom roles with admin capabilities.
Someone could argue that anyone could be willing to add some specific
admin capabilities to a role and then set them as default roles for some
specific unknown Use Case. Some others could argue that for those that are
not willing to do this, leaving this option "open" for those that would
not desire to set a default role, could still leave them exposed to hacker
attacks with their custom roles.
=== Current patch
1. It only restricts Administrator and Editor in the Front-End Admin panel
2. It shows a Health Status notice if you have set to default role an
Admin or an Editor, somehow in a hacky way.
This is the current status. Comment or support ideas already proposed
here. I think it's very difficult to get to a consensus because there is
no single best option here, and probably each single member will have
their opinion on how to handle this.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43936#comment:70>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list