Question

Security Question.  If you operate a WordPress blog and give "un-trusted" writers contributor access to format and post content, what is your exposure to them gaining greater access to the system (eg.Security Question. If you operate a WordPress blog and give "un-trusted" writers contributor access to format and post content, what is your exposure to them gaining greater access to the system (eg. installing plugins / scripts or going for admin rights)? (No offense intended with the untrusted writers comment; if you're not part of the permanent team managing the site, you're untrusted from a security perspective. )

Answer 1

Just don't. There's no need to give anyone access to plugins or admin privileges if their role is to create content. We can't assess your exposure to malicious intent because we don't know what kind of users you might have and how you might vet them, but if there is a chance of malicious intent, access to WordPress plugins is full exposure to whatever exploit a plugin could accomplish, from stealing users passwords to using server resources in bot nets to creating hidden pages to taking full control of your site and maybe your server. Don't.  

Comments

The question was is the "contributor" role sufficiently locked down in WP or are there ample ways for a knowledgeable user to engage in privilege escalation.  

Answer 2

Waiting for a pearl of wisdom from Swoosh!  

Answer 3

I wrote for a blog as a writer and they were able to restrict my privileges. I could post and edit and that was pretty much it.  

Answer 4

You never know, everything could be hacked even if they don't have an account, its wordpress. most targeted CMS to be exploited, if you really want to be safe, just post content by yourself. let them share article on email but again, even . docx may have malicious viruses as Microsoft Office was exploited too.