Registration by itself is not a security problem at all. If it was, any site that used registration for comments or user accounts would be vunerable.
The reason that some people seem to think that it’s an issue is that a user account has very limited access to the admin area, enough to update their profile details and that’s about all. Unless you’ve done something very far out of the box, the only thing that can come from a standard user set as a “subscriber” is some extra SPAM’y comments.
Thread Starter
Dave
(@omshankar)
If I allow user to upload their profile picture then if user upload any shell/malware with the extension .jpg then? Will wordpress disallow these shell which has extension .jpg? Because lots of sites are being hacked by this method. They upload encrypted shell by changing its extension .php to .jpg and then done. SIte got hacked once shell was uploaded.
By default, users don’t upload profile images in WordPress. That’s taken care of by Gravatar. So you’d have to check with whatever plugin/theme you’re using that allows that functionality.
Thread Starter
Dave
(@omshankar)
So in short if I enable registration then no hacking issue will come?
It shouldn’t come just from registrations.
