[wp-trac] [WordPress Trac] #43936: Settings: Warn when open registration and new user default is privileged
WordPress Trac
noreply at wordpress.org
Wed May 2 18:21:52 UTC 2018
#43936: Settings: Warn when open registration and new user default is privileged
----------------------------+-----------------------------
Reporter: kraftbj | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version:
Severity: normal | Keywords:
Focuses: |
----------------------------+-----------------------------
Much like our Strong Passwords work, we can help inform site
administrators when their actions may be sub-optimal.
WordPress allows a site owner to open registration AND set the default new
user level to "Administrator". While this combination may make sense for
some sites (on an intranet?), this is typically a really really bad idea.
We should provide some type of confirmation to ensure site administrators
are intending to open their site up.
If registration is open and default level is Subscriber (`read` cap only),
the current behavior is fine. If registration is open and other
capabilities are included in the default role, we should have some type of
checkbox or "are you sure" notice. "By allowing open registration and a
default role of {role}, anyone who can visit the site would have the
ability to {have full control of your site|publish content|etc}."
We saw this in the wild on a site in support today :).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43936>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list