Support » Everything else WordPress » Security issues with giving free WP accounts to general public

  • Resolved shinta


    Hi, I run a webhosting company and am thinking of giving free WP accounts to the general public (via painless application process). A new user would only have access to their WP admin account; no shell, no ftp, no control panel, nothing except WP admin username and password, and their own subdomain. My question is this: would an anonymous person with a WP admin account on my server be able to compromise my server by installing malicious scripts? Is it safe to give a WP admin account to someone who, as far as you know, could be a mass spammer, hacker, terrorist, etc.? Any feedback would be much appreciated. Thanks!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Matt Mullenweg



    It is conceivable if they can edit templates they can run any PHP code they want.

    Thanks for your reply, Matt.

    Are the templates they only place they can insert their own PHP code? I could probably easily disable template modification, but then that would greatly limit the customizability of WP. Another option is to add a hook to the template modification to check for certain PHP functions, but that would require more work, and it may still create conflicts with legit users.

    Hmmm…. what to do? I really want to provide a free WP hosting service to people who can’t afford a host, but I don’t want make my servers vulnerable to total strangers (versus paying customers who can be easily identified). Anyone have any ideas, or know of some other place/people that might have solutions? 🙂



    Member is doing exactly this.

    Users get author permissions only. You can create categories and links, but you cannot install plugins or alter themes.

    Ah, wonderful. Thanks for the link 🙂
    Hmm… it looks like it’s by invite only. That’s an interesting way to do it. Looks like google has started (or rather, popularized) quite a trend. 😉

    Well, that’s great. If there’s already a free WP host out there, I don’t need to worry about that aspect anymore. 🙂 I’m thinking of giving users a choice of 3 or so popular open source blogging tools so that they’re not limited to only 1 option (even if WP is the best out there ;)). So, I probably will still include free WP hosting as one of my options.

    Hmm… as a user with author permissions only, you have no control over the look and feel of your WP site, right? I’d think people would find that rather limiting…




    Authors at can select from one of the installed themes. Crurrently, seven themes are available from which to select.

    No, it’s not ideal for someone looking to really tweak their site. But for someone more interested in blogging than fiddling with their blog, it’s a viable solution.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Security issues with giving free WP accounts to general public’ is closed to new replies.