Any risk for giving users access to the back-end?


(Rob) #1

Just wanted to clarify if there’s any risk to giving users access to the backend. I mean besides giving someone admin rights if I give a more restrictive role like contributor or author I should be all good right. I"ve read some articles warning about giving users access to the back-end and I’m not sure if I am misunderstanding the warning as a general warning or if there’s something else I should look out for.


(Leland Fiegel) #2

Yes, because it opens your site up to privilege escalation attacks.

For example, WordPress 3.6.1 was released in part because of this:

Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij. CVE-2013-4340.

While “another user” could mean impersonating an admin in a blog post, some privilege escalation vulnerabilities open the door to full site takeovers.

Here’s another example with the WPLMS theme.

then function import_data can be called by logged in users
and executed which can lead to modifying wordpress settings and adding a
new administrator which may cause the site a full take over


I sometimes see WordPress sites that open up registration for no reason other than to let users leave comments. I don’t quite get it because it needlessly opens the door to privilege escalation attacks.

Obviously, if you have a real business need to open up registrations, it should be fine. Plenty of sites do it.

Just pay extra attention to vulnerability reports of any themes or plugins you’re using, and ensure your own custom code is not vulnerable to privilege escalation.


(Rob) #3

Thanks for the explenation and links. I see… yes I have a situation where 1 site needs to allow users to register just to leave comments.

Wonder if a plugin that resticts users from the back-end would harden security and make it safer against privilege escalation. Such as https://wordpress.org/plugins/remove-dashboard-access-for-non-admins


#4

hi @r083rt
i am also creating a network of multisites in a single wp installation
and i want to know what plugins are you using and your experience.
you can use wp-user-frontend (https://wordpress.org/plugins/wp-user-frontend/) plugin on wp
for your requirement
you mentioned in a post about WPMUDEV guys
can you tell me about how responsible they are because i was thinking of subscribing
to WPMUDEV but there are lot of negative reviews about them


(Rob) #5

Hi @prakhar,

I think to go off topic is frowned on and the site admin prefers people start separate topics as in this case. Just a friendly reminder.

I have another post asking specifically about posting through the back-end so Wp User Frontend Plugin won’t work for me. But thanks anyways.

I won’t list all my plugins but the ones that pertain to managing multiple sites, well I am testing MainWP and ManageWP. MainWP is a plugin you install on each site. The main site has the MainWP plugins, and all others have the ChildWP plugin. They also have extensions which I find useful, such as Clone, then there’s another plugin for managing all the settings across WordFence (if you have WordFence installed across all your sites for example).

As far as WPMUDEV, yes I’ve also read plenty of negative reviews. I think their plugin lack solid documentation and they are shooting themselves in the foot. If they had better documentation it would be a lot smoother to work with their plugins. Some plugins have a feature that doesn’t work for example and I found a small bug and emailed them about it.

That being said they seem to respond to forum support topics. From my experience, you will have to write a lot and there will be much back-and-forth to ask how certain things work, or to troubleshoot errors. The more complex your project is the more you will have to go through this back-and-forth.

On a side note Restrict Content Pro plugin does have a way to accept payments and then create a new sub-site on WP multisite installation. It’s an extra extension to their plugin and it’s on their site.


(Leland Fiegel) #6

That’s true. :slight_smile:

@prakhar, feel free to start a separate thread if you’d like to hear other WP Chatters’s experiences of WPMU Dev. This isn’t really a relevant topic for that sort of discussion.

By the way, Paid Memberships Pro can do this too: https://www.paidmembershipspro.com/add-ons/plus-add-ons/pmpro-network-multisite-membership/