Author role capabilities

chrispink
(@chrispink)

8 years, 11 months ago

I say 3.6 because I have a bucketful of sites and they are not all on support contracts so 3.6 is the oldest version in use.

I install Limit Login Attempts by default on all my sites and it is surprising how many brute force attacks there are out there. I don’t generally allow Admin roles to author posts so attempting hackers are generally using Author (and Editor) user names to try and get in.

Limit Login Attempts is a pretty good defence against brute force attacks but some come from a lot of IP addresses so it is not outside the realm of possibility that someone might succeed with an insecure password.

So the question; what damage if any can be done by someone logged in as Author or Editor?

Treat this post also as a wake up call, if you don’t have some kind of plugin to limit logins then you should, even if just to show you how often hackers attempt to get in.

Viewing 4 replies - 1 through 4 (of 4 total)

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

8 years, 11 months ago

I say 3.6 because I have a bucketful of sites and they are not all on support contracts so 3.6 is the oldest version in use.

That’s not good. Version 3.6 is exploitable regardless of the account capabilities. No one should use that version.

So the question; what damage if any can be done by someone logged in as Author or Editor?

It’s a little technical but this link explains it.

https://codex.wordpress.org/Roles_and_Capabilities#Editor

The risk is spam: the Editor role can modify and publish posts, the author role can’t publish new posts but can modify or delete the ones that account posted already.

Thread Starter chrispink
(@chrispink)

8 years, 11 months ago

To tell the truth I am hoping I have no 3.6 versions left. It’s true that I should check but we’re talking clients who don’t want to pay for maintenance here.

So, editors shouldn’t be authors so that their usernames are masked as there’s a lot more damage a rogue editor could do.

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

8 years, 11 months ago

To tell the truth I am hoping I have no 3.6 versions left.

*Raises coffee mug in salute!* 😉

So, editors shouldn’t be authors so that their usernames are masked as there’s a lot more damage a rogue editor could do.

Nope. Editors have all of the author capabilities plus more.

Usernames are not secret, not masked, not unknown and are never protected. There is no security at all in usernames and there never has been. The security is in strong passwords and remains there.

This reply from a week ago explains it really well. 😉

https://wordpress.org/support/topic/scanning-for-author-and-failed-login-attempt?replies=11&view=all#post-6932129

Thread Starter chrispink
(@chrispink)

8 years, 11 months ago

I hear you but it is a truism that my “hidden’ admin name is never part of the “attempted login” attacks so whatever, in the case of my sites, is attacking them it is fairly obviously author scanning.

I do agree with the thrust of the topic though, security is mainly a strong password.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Author role capabilities’ is closed to new replies.

Author role capabilities

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics