Support » Requests and Feedback » New Default Role : WP CONFIG add a control?

  • Resolved gsh1923

    (@gsh1923)


    Hi there

    Recently there was a [link removed] Vulnerability Detected in a plugin that we use.

    What I found pretty nuts is that once the user had been created as an admin it was possible for them to easily change the “default new user role” setting by going over to General and changing the drop-down box.

    I wondered therefore two things:

    a) Is there a way that in wp-config some kind of special magic code would mean that that particular part of the WP Installation would be hidden.

    b) If not, that there is some kind of internal security ping that gets sent out to the site ADMIN in cases where this is changed.

    I was lucky as I was able to rollback the installation to a previous version and then make the necessary updates. I hope this criticism is taken positively.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You can search the existing tickets to see if anyone has already requested this. If they haven’t, you could open a new ticket.
    https://core.trac.wordpress.org/

    Good idea in theory but wouldn’t really work in reality. If the user they created truly did have administrator privileges then the default user role is the least of your worries. With access to the administrator user role they would be able to access the plugin/theme editors where they could insert PHP code directly into the site.

    With this code they could do pretty much anything they wanted including adding code that would change the default user role value directly through the database without even changing the setting from the dashboard. Additionally, they could just disable whatever notification message would be sent out when that value was changed.

    Hi Jarret,

    Thanks for your reply.

    I understand your reply but not the bit where you say about “the least of my worries” because all of what you have said I am familiar with from a security side. If what you are saying is that once a user has admin access they can then pretty much do what they want to do on the website is that what you mean?

    In our case we reverted the WP installation to a time that was safely before the vulnerability and then ran date checks against the files on ftp to make sure there were no out of sync last updated modifications that would suggest some WP admin code changes via a file manager plugin that could have been installed via WP Admin.

    Perhaps you are saying that with an Admin permission account it is then possible to PHP execute queries via the browser that would add code injections to the WP plugins, is that what you mean? Or are you simply saying that because you are an admin you can recurse to WP plugin directories and add a piece of PHP that will have some kind of desired outcome for the hacker?

    If you are not saying this then I think that having the ability to block out the changing of the “New Default User Role” so that the only way this might be changed is by accessing wp-config over FTP could have prevented this attack further.

    It seems to me that in the scheme of handing over the keys to your website, the “New Default User Role” is a great target for hackers, and would seem a pretty easy thing to hack to and automate, but if it wasn’t there there would be nothing that hacking software could anchor to.

    Sorry if I have missed your point, but I wanted to clarify my own position to make sure it had been understood.

    Sorry I missed your reply. Yes, as an administrator they already have full access to the site. By default the administrator user role can modify themes/plugins

    https://codex.wordpress.org/Roles_and_Capabilities#Administrator

    If they had access to the Administrator role, they would visit either Appearance->Theme Editor or Plugins->Plugin Editor and insert whatever PHP code they wanted into any theme/plugin you have installed on the site.

    Hi @gsh1923 the root of the problem is that you have an admin user you don’t trust. This can be either one of two situations:

    – a rogue legitimate admin, someone you have added as a user with the role of admin and now they don’t act in your best interest
    – a hacked admin account, that is say an admin user with a poor, easy to break password, which is used by a hacker

    In both cases it doesn’t matter what features WordPress implements to protect certain parts of the administration area because the users with admin rights are able to undo any security measure.

    Say there is a setting in wp-config.php to disable the Default User Role. If a user is admin, they can write PHP code in your theme that alters wp-config.php.

    So, as @jarretc explained, if you have a user you don’t trust with administrative privileges then whatever they alter is irrelevant, as it can be literally anything about your website.

    To prevent that be very careful to whom you offer administrative privileges.

    As a final note, tampering the default new user role setting is used by some dishonest users or hackers so that if they’re kicked out they can easily signup and get back in with elevated privileges. But the solution to this is not a feature in WordPress, as no matter the system if one gains administrative privileges everything is compromised.

    Thank you for taking the time to explain what you mean, and I now see your point. I also think that I need to read a bit more about WP ROLES because from what you are saying it seems that only Admin’s will see the new default user role change and if that is the case then as you say, it doesn’t matter what is done to hide that, it’s going to be easy to over-ride.

    Thank you both again.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.