Spam subscribers becoming users through backdoor?

What do you mean by “become Users”? Subscribers are users with only read access. Do not confuse WordPress subscriber role with subscribers to a mailing list. There is no connection.

You never set the default user role to Editor or Administrator, unless you are running a sandbox. At least not when your blog is open for users to register themselves. You are aware that you may turn that feature off?

And exactly why do you suspect a “backdoor”, other than plain user registration?

Please do not use ALL CAPS in the subject line. It looks like SCREAMING.

Thanks for the response.

Literally, became Users in a WordPress Role. How could they that if there wasn’t an option to do so. I never added them. And, as said, the edresses are dodgy.

There is no default role in WordPress called “Users”. Have you set up some custom user roles?

There is such an option. Are you aware of the Settings – General – Membership: Allow any user to register? If ticked, anybody can become a user, preferably with the subscriber role (se below that option)

Are you aware of the Settings – General – Membership

That’s added by a plugin that sets up custom roles – as per my original question. It’s not part of WP core.

I’m thought i was with Knut on that. I’ve always had Settings -> General -> New User Default Role.

I have made about a dozen WordPress sites. Having 2 unidentified people become Subscribers in a default user role was a first for me. I may have deleted them and upgraded WordPress but i still feel it was of enough concern to share.

There is no User role in WordPress core. See Roles_and_Capabilities. Nor is there a Settings – General – Membership menu in core. These are being added by a plugin.

I don’t understand because there’s always been an option to be an Administrator, Editor, Author, Subscriber.

@esmi: That is not added by a plugin. It’s a checbox that tells WordPress to accept registrations. It’s in core.

If you have other roles than subscriber, contributor, author, editor and administrator, then you have plugin that lets you define new roles. I thinks this is not the case here.

@wickedmike: I had a couple of spam user registrations every day until a made it more difficult to register on tyhose blogs that was most spammed or “probed” by this.

A subscriber has no rights to change anything and may only se a few statistics about the number of posts and comments, theme ad widgets and so on. A subscriber can not read unpublished or private material or list plugins. (Unless you change the capabilities, that is.)

The only reason registeringand then stay a subscriber is that you may comment without entering your name and e-mail address.

Yes – and Contributor. But no “User”. That’s a custom role. And since it’s been created via a plugin, this does suggest that the plugin itself may have inadvertently opened up a hole.

Thanks all! Nice that people bother to give their input.

I’m not overly worried but always cautious after being hacked by fundamentalists on a previous, non-Wordpress site. It’s worthwhile mentioning in case others had had the same experience, after all, people doing what they shouldn’t be doing can only mean bad intention of some sort.

I’ll rest on this thread but hopefully it stays open for a while in case there’s a repeat.

Thank you.

If you have other roles than subscriber, contributor, author, editor and administrator, then you have plugin that lets you define new roles. I thinks this is not the case here.

Just to reiterate – The role NAMED ‘User’ would be a newly defined role. Something made it.

wickedmike – What plugins ARE you using?

Sorry for being unclear. I was speaking of User roles and not a role called User.

Okay ?? That matters a GREAT deal!

So to unravel all this, can you explain what you mean here:

I have had 2 “subscribers” automatically become Users instead of subscribers.

What user role were they granted?

Subscriber which is default.

Main point is that i never added them and there is no option for them to add themselves. And their edresses were obviously not real.