#60258 closed enhancement (duplicate)
Security Concern and Enhancement Request: Disable Admin Role Assignment on User Registration
Reported by: | arunu1996 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 6.4.2 |
Component: | Users | Keywords: | needs-patch |
Focuses: | ui, administration | Cc: |
Description
Hi,
I recently identified a potential security threat in WordPress related to the "Anyone can register" setting under General Settings. Currently, when this setting is enabled, new users can be assigned the Administrator role during registration, posing a security risk.
I propose the addition of an option in the wp-config.php file to disable the assignment of the Administrator role option for the New User Default role field in general settings. This would provide an extra layer of security for WordPress websites.
Attachments (1)
Change History (9)
#3
in reply to:
↑ 1
@
9 months ago
Replying to pbearne:
I wonder if we can't simply remove this option by default and require that user is "promoted" via there profile?
Deprecate the option and set it to contributor (initially|on-upgrade)? New ticket, longer time.
Simpler to just shrink the options in the dropdown, at least for now.
#4
@
9 months ago
- Component changed from Security to Users
- Focuses ui added
- Keywords needs-patch added
Hey! In my humble opinion, removing this feature is not a good idea. Some plugins, such as WooCommerce or BBPress, add custom user roles, and depending on the site's needs, a role must be auto-assigned.
You do make a valid point, though; the combination of allowing anyone to register and auto-assigning the administrator role is risky. While I believe that site administrators are generally aware that this is not a secure configuration, mistakes can still happen.
Therefore, I think adding an extra warning is a very good idea!
#5
@
9 months ago
Hi @benniledl,
What is you suggestion on adding a const in wp-config.php to remove administrator from the new user default role select options?
I wonder if we can't simply remove this option by default and require that user is "promoted" via there profile?