Site Administrators are bestowed a lot of power with an administrator account. But with that power comes great responsibility. Admins should be aware that they have the unfiltered_html capability.
[box type=”shadow”] unfiltered_html: Allows user to post HTML markup or even JavaScript code in pages, posts, comments and widgets.[/box]Editor and contributor roles are restricted from posting these types of scripts into the text editor. Upon save, any potentially dangerous HTML markup or JavaScript will get removed from the page, never making its way to the database.
With that said, it is recommended that admins use their administrator accounts for administrative purposes only. An admin should create a secondary Editor account for themselves for the posting of content. Using the Editor account will provide a layer of security when posting content to the website.
Whether malicious code is explicitly, unintentionally, or even unknowingly added into a page or post, the HTML filter applied to Editor, Author, & Contributor roles will guard against these occurrences.
Safety Tips:
- Minimize the creation of admin user accounts.
- Admin users should utilize a secondary editor account to commit new posts or updates.
- Keep passwords safe and confidential.
- Do not use the browser to save log-in credentials.
- Uninstall any unused and potentially harmful browser extensions.
- Do not use unsecured public wi-fi access when logging into your website.
- Make sure workstations are running an updated anti-virus program with scheduled scans.
Further information:
- https://blog.sucuri.net/2014/10/threat-introduced-via-browser-extensions.html
- https://codex.wordpress.org/Roles_and_Capabilities