Security Concern and Enhancement Request: Disable Admin Role Assignment on User Registration

[arunu1996]

Hi,

I recently identified a potential security threat in WordPress related to the "Anyone can register" setting under General Settings. Currently, when this setting is enabled, new users can be assigned the Administrator role during registration, posing a security risk.

I propose the addition of an option in the wp-config.php file to disable the assignment of the Administrator role option for the New User Default role field in general settings. This would provide an extra layer of security for WordPress websites.

[pbearne]

I wonder if we can't simply remove this option by default and require that user is "promoted" via there profile?

[arunu1996]

@pbearne
Thats a good solution.

[knutsp]

Replying to pbearne:

I wonder if we can't simply remove this option by default and require that user is "promoted" via there profile?

Deprecate the option and set it to contributor (initially|on-upgrade)? New ticket, longer time.
Simpler to just shrink the options in the dropdown, at least for now.

[benniledl]

Hey! In my humble opinion, removing this feature is not a good idea. Some plugins, such as WooCommerce or BBPress, add custom user roles, and depending on the site's needs, a role must be auto-assigned.

You do make a valid point, though; the combination of allowing anyone to register and auto-assigning the administrator role is risky. While I believe that site administrators are generally aware that this is not a secure configuration, mistakes can still happen.
Therefore, I think adding an extra warning is a very good idea!

[arunu1996]

Hi @benniledl,

What is you suggestion on adding a const in wp-config.php to remove administrator from the new user default role select options?

[roytanck]

This has previously been discussed here: #43936 .

[arunu1996]

Duplicate of #43936.

Thank you @roytanck. I am marking this as duplicate.