How to Secure WordPress User Roles and Stop Unauthorized Uploads

Summary:

Integriti Studio investigated a WordPress site where subscriber-level WordPress users were unexpectedly uploading media files through file uploads in WordPress and possibly creating unauthorized WordPress accounts. By auditing user roles, reviewing plugin and theme behavior, and tightening file upload permissions, the team resolved the issue and strengthened overall WordPress security and access control.

Issue Background

The client noticed unusual activity on their WordPress website, including:

• A large number of suspicious subscriber accounts on the WordPress installation using free email providers
• Unexpected image and file uploads by non-admin users with limited user permissions
• No clear URL, dashboard, or form source for how these unauthorized WordPress users were being created

Initial suspicion pointed toward a compromised WordPress site, a vulnerable WordPress plugin, or misconfigured user role permission and access based issues.

Diagnosis

After a full security audit and permission review, the following findings were confirmed:

• Subscriber user roles in standard WordPress should not have media access or upload files through the WordPress dashboard
• A form-based file upload field (likely in Gravity Forms or similar plugins) allowed upload files in WordPress based on user roles, bypassing normal restrict access rules
• XML-RPC was active, increasing exposure to automated attacks and potential unauthorized access despite firewall layers
• A custom plugin named “Hospital Doctor Directory New” was reviewed for vulnerability, file access, and directory permissions but ultimately retained
• Several outdated plugins and the Avada theme had potential security vulnerabilities affecting file security, file integrity, and access to sensitive media files

Resolution Steps

User Cleanup + Audit

All unfamiliar WordPress user accounts were removed, and admin access, editor roles, and subscriber permissions were reviewed to prevent unauthorized WordPress access and restrict access to sensitive files.

Form Restrictions

File upload security was improved by limiting file types, restricting file size, blocking malicious files such as PHP files, and controlling the number of file uploads per entry to protect uploads and prevent harmful files.

Update Critical Plugins + Theme

All WordPress core files, plugins, and the Avada theme were updated to the latest versions to harden WordPress, fix known vulnerabilities, and improve basic security measures.

XML-RPC Confirmation

Confirmed with the hosting provider (Pressable) that XML-RPC was blocked by default via a firewall and WAF, reducing exposure to brute force and unauthorized access attempts.

Permission Testing

Verified that dashboard-based uploads were restricted properly and confirmed the issue originated from an unprotected form allowing direct file upload access outside standard WordPress permission rules.

Final Outcome

With WordPress user roles audited, file upload permissions secured, plugins and themes updated, and file restrictions enforced, the WordPress website no longer allows unauthorized media uploads or suspicious account creation. A stronger security layer is now in place to protect WordPress media files, directories, and private files, and ongoing WordPress security awareness was recommended.