Home Testimonials Company Support 1–888–873–0817
Home Notes Malware Signatures About

All across the internet we find guides and tutorials on how to keep your WordPress site secure, and they all approach the concept of user roles, but not many actually approach the capabilities of those roles.

The way the capabilities are handled on WordPress make it quite easy to change what each role is allowed to do.

How WordPress Sets Role Capabilities

To better understand, we need to first look at how WordPress manages the capabilities of the roles (what it is allowed to do, be it either add/remove users, create/delete posts, etc...). This is defined on the database, in the wp_options table option_name - wp_user_roles

The Risk

As we previously experienced, attackers are focusing on modifying serialized data within the wp_options table.Due to the feeling that webmasters understand the role “Subscriber” can’t do much about this becomes a serious problem attackers can leverage by simply modifying the wp_user_roles field on the wp_options table (see below):

(Note: The attackers first need to either compromise your website or gain database access in order to accomplish this.)

Attackers can quite easily give every subscriber full administration capabilities. Allow me to show you by using the plugin Capability Manager Enhanced