After the WordCamp Paris 2014, i’m back to share a tip based on fact to force some options on some values, they can become malicious:
Force the admin email address
Force this value with a hardcoded one, you’ll be sur to always receive important emails in relation with WordPress.
Force the non-registering possibility
With the same idea, if i let this option unchecked is because my website do not and will not accept members.
Force the default new user role
Sincerely, between us, who’ll use the “Adminitrator” ? I don’t event understand with this choice is possible ? So i set it on “Subscriber” and if i want that on of my members became Admin, i’ll do it manually.
Pour tout ça, un simple code de 3 hooks :
Copy/paste this code in a php file of your, then put it in the “/wp-content/mu-plugins” folder, create it og it doesn’t exists. Do not forget to change the default URL in the plugin.
[pastacode provider=”gist” lang=”php” path_id=”8499149″/]
Malicious, how ?
And if, by example you or your clients have a theme whicj contains a security flaw. This flaw can lead on a “what ever option i can update it”? (I already saw this) The flaw pemit a simple user to modifiy any WP Options ! The hacker can touch the code as he needs, comme les 3 ci-dessus.
I count on you to put this tip in place!
