Dr Dave of Spam Karma fame warns of a potential security risk:
If you are running WordPress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked).
Additionally, delete or disable ANY guest account already created by people you are not sure about.
Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.
He has taken some flak for this (as it’s not, AFAIK, backed up by the official WordPress folk) and I’m not making a recommendation one way or the other (I already had that option off), but any readers who do allow users to register on their WordPress blog should have a read and make up their own minds.
Update: A new version of WordPress has been released which apparently resolves this security issue.
Recent comments