WordPress Contributor Role Vulnerability

Since a lot of poker blogs out there are powered by WordPress I thought I would help get the word out about a vulnerability that exists if you allow users to register on your site. On another (not poker related) blog I run I’ve been getting occasional posts in Polish. Which is odd because when I look at the poster he is listed as having “Contributor” permissions. That means he should be able to write posts but they can’t go live to the world unless they’ve been approved by me. How are they ending up on the website without my ever approving them? I don’t know but in investigating the issue I’ve run across a few other sites that have run into the same issue, including the same person (klamka13303) doing the posting. Their research seems to indicate that over 300,000 blogs have been hit by this guy already.

If you are running WordPress you should take a moment and log into your admin control panel. From there go to Settings>>General. You will see the following options:

WordPress Security Vulnerability Fix

The safest route seems to be to disallow registration. If you’re the only person who posts on your blog you probably don’t need people to register anyway so it shouldn’t be too big of a deal. If you need to have people register on your site I guess your second option would be to set the default New User Default Role to “Subscriber” rather than Contributor. I’m not sure if that stops the exploit but in theory they wouldn’t even be able to create or save a post. Then again, they’re not supposed to be able to publish their own posts as a Contributor which is why just disabling user registration seems like the most prudent option if you can do it.

Bill Rini

Bill Rini has been working in the online poker industry since 2004. He was a product manager for poker at Full Tilt and was the poker room manager at PartyPoker. Currently, Bill is the Head of Online Poker for WSOP.   Bill has been blogging about online poker since 2003 and is considered one of the leading authorities on the online poker industry.   "I like What Bill Rini said in his blog" - Doyle Brunson   "In other news, we had Bill Rini write an absolutely home run blog." Daniel Negreanu   "Industry insider Bill Rini has one of the most popular blogs in poker, with thousands of subscribers and fans regularly coming back for his universally respected insight into the industry" - Barry Carter (News editor for PokerStrategy, Co-Author: The Mental Game of Poker)

You may also like...

3 Responses

  1. Hi Bill… Thanks for the mention.. I have also stopped registration on my blog. Hope this is resolved by WordPress soon…

  2. Stuart says:

    Great info Bill, thanks alot, love the blog too, great read, laughs and good info too

  1. March 21, 2011

    […] great about it is that I posted a link to my post about the WordPress Contributor Role Vulnerability on Twitter and I could immediately see how many people were clicking on the link, where they were […]