Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. WordPress registration enabled

Author: Government Digital Service

WordPress registration enabled

What this means

This refers to a potential misconfiguration where the default WordPress registration feature is left open, allowing anyone to register and create an account on the site. 

Why this is a problem

If this is unintended and/or not carefully managed, attackers can register accounts attempting to impersonate trusted individuals, edit or interact with the site in unintended ways, such as leaving comments against articles and posts.

How to check if the problem is there

Check WordPress Settings:

  1. Log into the WordPress Admin Panel.
  2. Navigate to Settings > General.
  3. Look for the option “Anyone can register” under “Membership.”

How to fix this

If you have determined that user registration is not required for your website, then disable this setting by following the steps below:

  1. Log into the WordPress Admin Panel.
  2. Navigate to Settings > General.
  3. Uncheck the option “Anyone can register” under “Membership.”
  4. Save changes.
  5. Go to Users > All Users to check if there are unauthorised or spam accounts.

If you require users to access your site for collaboration purposes, consider adding users via an invite instead of allowing self-registration. More information on this can be found on the WordPress site.

In addition to this, consider implementing the following controls:

  • if registration is necessary, set the new user default role to the lowest permission level.
  • enable CAPTCHA for registration, to prevent bots from registering.
  • ensure your WordPress site is always kept up to date to ensure the registration system is free of vulnerabilities

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now