WordPress Commenting System User access and Security

From a security point of view, it is always better not to have users you do not manually approve, as writing correct code that tests against a specific privilege is generally harder than a code that has a binary state of logged-in/not logged-in.

Core has its privilege escalation bugs from time to time, but plugin and theme writers too many times do not fully grasp the concept of privileges which results in coding mistakes which may lead to privilege escalation.

That said, a subscribe role should be fairly safe, it can still access the admin, but I am sure there are plugins to prevent it, but can’t do much except for changing his profile related settings.

To sum it up, it is not a good idea to have users on a shop site just because you want (I assume) some anti-spam measure in your blog. Either let comments be “free” for all, or don’t use a multisite, but a separate wordpress installs.

Related Posts:

  1. Add a drop down list to comment form?
  2. Name of comment field differs on different sites
  3. get_comment_meta not behaving as expected
  4. How to filter comments by comment_meta
  5. Top rated posts Average rating issue
  6. add field comment [duplicate]
  7. How to rearrange fields in comment_form()
  8. comment_post_ID 0 (cannot remove from dashboard)
  9. Removing the “Website” Field from Comments and Replies?
  10. How to add a class to the comment submit button?
  11. How to wrap submit button of comment form with div
  12. comments reply script not working
  13. Why do I get accidental comments without (the required) email address?
  14. How do I set up real anonymous posting in bbpress forums? [closed]
  15. How to allow the reply link to remain on the comment form after I have reached my 10 nested comment limit?
  16. Using filter to add additional fields to comment_form()
  17. Programmatically block commenting by restricting view of comment form
  18. How to Block Access to Standard Login Flow and Comment Flow
  19. Add Comment Custom Field
  20. Custom Field Added In Comment Form Not Showing In Edit
  21. Upload images with comment
  22. How To Remove The “Click here to cancel reply” Link From The WordPress Comment Form
  23. What are the additional fields in wp_comments used for?
  24. Making a Comment on a page without being on that page?
  25. How to modify comments form using comment_form()?
  26. How to add consent checkbox in comment section
  27. How to add enctype to multipart/form-data to comment form?
  28. Changing position of cancel_comment_reply_link and other elements of comment form
  29. How would I count the number of times a comment meta field’s value is in a post’s entire comments?
  30. Share comment to twitter after publishing [closed]
  31. Disable comments
  32. How to add attributes to the comment form tag?
  33. Comment form connection to Gravity Forms
  34. Auto-fill Custom comment fields
  35. Change order of comment fields
  36. Get comments from post and sort by commentmeta value
  37. How to call my custom WordPress Comment form without getting the comments?
  38. Create comments.php form of custom HTML code
  39. How can I test why the comment hook is not working?
  40. comment_post action hook running on page load instead of after a comment is posted
  41. Add class to comment form div when comment-reply button is clicked
  42. To whom do emails get sent via the WordPress comments form?
  43. How to sort posts by the average of comment meta values
  44. Display complete comment section via post ID
  45. Notification if Comment Author Field is left empty. E.g. change input border colour
  46. Assign author to comment from post edit page
  47. How to retain comment text on comment form after login/registration?
  48. Check if comment was successfully submited
  49. Ajax submit comments
  50. Why could my comment_form variable not be working?
  51. Display avatar with comment form?
  52. How to get a value from comment meta
  53. reCaptcha doesnt appear in comment (manual or plugin)
  54. Make every comment go to the spam folder
  55. WordPress scruity issue – Totally disable all comments by CSS — secure enough?
  56. Update comment meta for all comments of specific post
  57. Add comment_meta to wp_comment_reply
  58. How are readers authenticated for leaving comments?
  59. How to get Post title by locale with Qtranslate-X
  60. How can I embed comments plugin to my own website?
  61. unsetting required fields in the comment reply form
  62. Cannot Remove Title Reply from Custom Comment Template for Signup Page
  63. comment just attachment .. reply just text … can I do that?
  64. Edit Comments Fields
  65. Same comment section on every page
  66. Update post “A” on comment submition on post “B”
  67. Upload avatar for post comment
  68. How to display replies to his comments in user profile of current user
  69. reply comment below the comment box without reload page
  70. Comment author profile image
  71. Force to show all fields in comment forms to the logged-in users
  72. Comment Form Fields when user logged in
  73. Author name length character limit?
  74. Check if comment author has url
  75. How to make comment reply available only for login members of a certain user roles only?
  76. How to call out the date of user’s first comment?
  77. Removing(replacing) avtar in comments.php with some other HTML arrangements
  78. How to pass settings to comment_form() if theme only uses comments_template()?
  79. edit comments in front end
  80. How to add a class to comment submit button?
  81. Comments.php is not getting called on main blog page
  82. How to enable truly anonymous posting in bbPress forums? [closed]
  83. Comment section not appearing on posts
  84. Echo out custom fields in comments
  85. reply to comment excerpt instead of author in comment title
  86. Adding restrictions to open comments
  87. wp-editor-area textarea disapear on cancel-comment-reply-link click
  88. Comment-Meta doesn’t work with latest wordpress update
  89. Display Comment Form on dedicated Page for each post
  90. Need an advice about comments
  91. Actual comments not showing, but form is?
  92. How to remove or customize “Comment” in comments form?
  93. How do I convert users who put an email and username for a comment into registered users? [duplicate]
  94. Clicking Comment “Reply” Button only replies to first comment
  95. Merge comments from Facebook with WP comments [closed]
  96. Why default comment fields don’t show up?
  97. How to enable truly anonymous posting in bbPress forums? [closed]
  98. Replace Entire Comment Box with Text
  99. How to hide and disable URL and email fields from comments?
  100. Show success message on comment submit when email and name is not required field