Changeset 61687

Timestamp:

02/19/2026 09:42:59 AM (3 weeks ago)

Author:

audrasjb

Message:

Administration: Warn when open registration and new user default is privileged.

Previously, WordPress allowed site owners to open registration AND to set the default new user level to "Administrator" or "Editor". While this combination may make sense for some sites, this is genrally a really really bad idea.

With this changeset:

• Administrator and Editor roles are now removed from the new user default role selector in the General Options admin screen.
• If such a role was selected before, an alert is shown in Site Health.
• A new filter is introduced: default_role_dropdown_excluded_roles allows developers to change the default excluded roles in the dropdown.

Props kraftbj, subrataemfluence, roytanck, dd32, ottok, jrf, eatingrules, verygoode, generosus, stevejburge, arunu1996, benniledl, audrasjb, mukesh27, swissspidy, Mte90, zodiac1978, pooja1210, davidbaumwald, johnbillion, jorbin, SirLouen, oglekler, kirasong, shailu25, huzaifaalmesbah, jsmansart.
Fixes #43936.

Location:

trunk/src/wp-admin

Files:

• includes/class-wp-site-health.php (modified) (2 diffs)
• includes/template.php (modified) (1 diff)
• options-general.php (modified) (1 diff)

trunk/src/wp-admin/includes/class-wp-site-health.php

@@ -1878 +1878 @@
             );
             $result['status'] = 'recommended';
+        }
+
+        return $result;
+    }
+
+    /**
+     * Tests if registration is open to everyone and the default role is privileged.
+     *
+     * @since 7.0.0
+     *
+     * @return array The test results.
+     */
+    public function get_test_insecure_registration() {
+        $users_can_register = get_option( 'users_can_register' );
+        $default_role       = get_option( 'default_role' );
+
+        $result = array(
+            'label'       => __( 'Open Registration with privileged default role' ),
+            'status'      => 'good',
+            'badge'       => array(
+                'label' => __( 'Security' ),
+                'color' => 'blue',
+            ),
+            'description' => '<p>' . __( 'The combination of open registration setting and the default user role may lead to security issues.' ) . '</p>',
+            'actions'     => '',
+            'test'        => 'insecure_registration',
+        );
+
+        if ( $users_can_register && in_array( $default_role, array( 'editor', 'administrator' ), true ) ) {
+            $result['description'] = __( 'Registration is open to anyone, and the default role is set to a privileged role.' );
+            $result['status']      = 'critical';
+            $result['actions']     = sprintf(
+                '<p><a href="%s">%s</a></p>',
+                esc_url( admin_url( 'options-general.php' ) ),
+                __( 'Change these settings' )
+            );
         }
 
@@ -2890 +2926 @@
                     'test'  => 'autoloaded_options',
                 ),
+                'insecure_registration'        => array(
+                    'label' => __( 'Open Registration with privileged default role' ),
+                    'test'  => 'insecure_registration',
+                ),
                 'search_engine_visibility'     => array(
                     'label' => __( 'Search Engine Visibility' ),

trunk/src/wp-admin/includes/template.php

@@ -968 +968 @@
  *
  * @since 2.1.0
- *
- * @param string $selected Slug for the role that should be already selected.
- */
-function wp_dropdown_roles( $selected = '' ) {
+ * @since 7.0.0 Added $editable_roles parameter.
+ *
+ * @param string $selected       Slug for the role that should be already selected.
+ * @param array  $editable_roles Array of roles to include in the dropdown. Defaults to all
+ *                               roles the current user is allowed to edit.
+ */
+function wp_dropdown_roles( $selected = '', $editable_roles = null ) {
     $r = '';
 
-    $editable_roles = array_reverse( get_editable_roles() );
+    if ( null === $editable_roles ) {
+        $editable_roles = array_reverse( get_editable_roles() );
+    }
 
     foreach ( $editable_roles as $role => $details ) {

trunk/src/wp-admin/options-general.php

@@ -305 +305 @@
 <th scope="row"><label for="default_role"><?php _e( 'New User Default Role' ); ?></label></th>
 <td>
-<select name="default_role" id="default_role"><?php wp_dropdown_roles( get_option( 'default_role' ) ); ?></select>
+    <?php
+    /**
+     * Filters the roles to be excluded from the default_role option.
+     *
+     * @since 7.0.0
+     *
+     * @param string[] $roles_to_exclude Array of roles to exclude from the dropdown.
+     *                                   Defaults to administrator and editor.
+     */
+    $excluded_roles = (array) apply_filters( 'default_role_dropdown_excluded_roles', array( 'administrator', 'editor' ) );
+
+    $editable_roles = array_reverse( get_editable_roles() );
+
+    $selected = get_option( 'default_role' );
+
+    foreach ( $editable_roles as $role => $details ) {
+        if ( in_array( $role, $excluded_roles, true ) && $role !== $selected ) {
+            unset( $editable_roles[ $role ] );
+        }
+    }
+    ?>
+    <select name="default_role" id="default_role"><?php wp_dropdown_roles( $selected, $editable_roles ); ?></select>
 </td>
 </tr>