WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
02/19/2026 09:42:59 AM (3 months ago)
Author:
audrasjb
Message:

Administration: Warn when open registration and new user default is privileged.

Previously, WordPress allowed site owners to open registration AND to set the default new user level to "Administrator" or "Editor". While this combination may make sense for some sites, this is genrally a really really bad idea.

With this changeset:

  • Administrator and Editor roles are now removed from the new user default role selector in the General Options admin screen.
  • If such a role was selected before, an alert is shown in Site Health.
  • A new filter is introduced: default_role_dropdown_excluded_roles allows developers to change the default excluded roles in the dropdown.

Props kraftbj, subrataemfluence, roytanck, dd32, ottok, jrf, eatingrules, verygoode, generosus, stevejburge, arunu1996, benniledl, audrasjb, mukesh27, swissspidy, Mte90, zodiac1978, pooja1210, davidbaumwald, johnbillion, jorbin, SirLouen, oglekler, kirasong, shailu25, huzaifaalmesbah, jsmansart.
Fixes #43936.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-admin/options-general.php

    r61193 r61687  
    305305<th scope="row"><label for="default_role"><?php _e( 'New User Default Role' ); ?></label></th>
    306306<td>
    307 <select name="default_role" id="default_role"><?php wp_dropdown_roles( get_option( 'default_role' ) ); ?></select>
     307    <?php
     308    /**
     309     * Filters the roles to be excluded from the default_role option.
     310     *
     311     * @since 7.0.0
     312     *
     313     * @param string[] $roles_to_exclude Array of roles to exclude from the dropdown.
     314     *                                   Defaults to administrator and editor.
     315     */
     316    $excluded_roles = (array) apply_filters( 'default_role_dropdown_excluded_roles', array( 'administrator', 'editor' ) );
     317
     318    $editable_roles = array_reverse( get_editable_roles() );
     319
     320    $selected = get_option( 'default_role' );
     321
     322    foreach ( $editable_roles as $role => $details ) {
     323        if ( in_array( $role, $excluded_roles, true ) && $role !== $selected ) {
     324            unset( $editable_roles[ $role ] );
     325        }
     326    }
     327    ?>
     328    <select name="default_role" id="default_role"><?php wp_dropdown_roles( $selected, $editable_roles ); ?></select>
    308329</td>
    309330</tr>
Note: See TracChangeset for help on using the changeset viewer.