Make WordPress Core

Opened 5 months ago

Closed 5 months ago

Last modified 5 months ago

#60258 closed enhancement (duplicate)

Security Concern and Enhancement Request: Disable Admin Role Assignment on User Registration

Reported by: arunu1996's profile arunu1996 Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.4.2
Component: Users Keywords: needs-patch
Focuses: ui, administration Cc:

Description

Hi,

I recently identified a potential security threat in WordPress related to the "Anyone can register" setting under General Settings. Currently, when this setting is enabled, new users can be assigned the Administrator role during registration, posing a security risk.

I propose the addition of an option in the wp-config.php file to disable the assignment of the Administrator role option for the New User Default role field in general settings. This would provide an extra layer of security for WordPress websites.

Attachments (1)

unnamed.png (20.4 KB) - added by arunu1996 5 months ago.

Download all attachments as: .zip

Change History (9)

@arunu1996
5 months ago

#1 follow-up: @pbearne
5 months ago

I wonder if we can't simply remove this option by default and require that user is "promoted" via there profile?

#2 @arunu1996
5 months ago

@pbearne
Thats a good solution.

#3 in reply to: ↑ 1 @knutsp
5 months ago

Replying to pbearne:

I wonder if we can't simply remove this option by default and require that user is "promoted" via there profile?

Deprecate the option and set it to contributor (initially|on-upgrade)? New ticket, longer time.
Simpler to just shrink the options in the dropdown, at least for now.

#4 @benniledl
5 months ago

  • Component changed from Security to Users
  • Focuses ui added
  • Keywords needs-patch added

Hey! In my humble opinion, removing this feature is not a good idea. Some plugins, such as WooCommerce or BBPress, add custom user roles, and depending on the site's needs, a role must be auto-assigned.

You do make a valid point, though; the combination of allowing anyone to register and auto-assigning the administrator role is risky. While I believe that site administrators are generally aware that this is not a secure configuration, mistakes can still happen.
Therefore, I think adding an extra warning is a very good idea!

#5 @arunu1996
5 months ago

Hi @benniledl,

What is you suggestion on adding a const in wp-config.php to remove administrator from the new user default role select options?

#6 @roytanck
5 months ago

This has previously been discussed here: #43936 .

#7 @arunu1996
5 months ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #43936.

Thank you @roytanck. I am marking this as duplicate.

#8 @peterwilsoncc
5 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.