WordPress Contributor Role Vulnerability
Since a lot of poker blogs out there are powered by WordPress I thought I would help get the word out about a vulnerability that exists if you allow users to register on your site. On another (not poker related) blog I run I’ve been getting occasional posts in Polish. Which is odd because when I look at the poster he is listed as having “Contributor” permissions. That means he should be able to write posts but they can’t go live to the world unless they’ve been approved by me. How are they ending up on the website without my ever approving them? I don’t know but in investigating the issue I’ve run across a few other sites that have run into the same issue, including the same person (klamka13303) doing the posting. Their research seems to indicate that over 300,000 blogs have been hit by this guy already.
If you are running WordPress you should take a moment and log into your admin control panel. From there go to Settings>>General. You will see the following options:
The safest route seems to be to disallow registration. If you’re the only person who posts on your blog you probably don’t need people to register anyway so it shouldn’t be too big of a deal. If you need to have people register on your site I guess your second option would be to set the default New User Default Role to “Subscriber” rather than Contributor. I’m not sure if that stops the exploit but in theory they wouldn’t even be able to create or save a post. Then again, they’re not supposed to be able to publish their own posts as a Contributor which is why just disabling user registration seems like the most prudent option if you can do it.