WordPress user registration enabled
Description
This WordPress installation has user registration publicly enabled, allowing anyone to create an account on the site. While this feature may be intentional for community sites or membership platforms, it is often left enabled by default and forgotten. Open registration increases the attack surface by allowing potential attackers to create accounts, which can be leveraged for privilege escalation attacks, spam distribution, or reconnaissance activities.
Remediation
If user registration is not required for your site's functionality, disable this feature immediately:
1. Log in to the WordPress admin dashboard with administrator credentials
2. Navigate to Settings > General
3. Locate the Membership section
4. Uncheck the option labeled "Anyone can register"
5. Click Save Changes at the bottom of the page
If you require user registration for legitimate purposes, implement additional security controls:
- Install a CAPTCHA plugin to prevent automated registrations
- Use an email verification system to confirm user identities
- Implement account approval workflows for new registrations
- Set the default user role to the minimum privilege level necessary (typically "Subscriber")
- Monitor new user registrations regularly for suspicious activity