We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

How to stop unauthorized WordPress subscriber accounts and prevent image uploads

Nathan Chapman

A WordPress site that had been migrated to Freshy began showing unusual activity: a large number of unauthorized subscriber accounts (many using Gmail and Yahoo addresses) were appearing, and one had even managed to upload an image. Upon review, Freshy’s support team discovered several vulnerabilities in the site’s configuration, including outdated plugins and theme files.

This guide outlines how our team identified the problem, secured the site, and implemented best practices to prevent unauthorized account creation and file uploads on WordPress sites.

Issue background

The affected WordPress site was found to have dozens of unauthorized “subscriber” accounts being automatically created. One of these users was even able to upload an image, which indicated that permissions for the subscriber role were not properly restricted.

The site’s setup included the Avada theme and several popular plugins:

  • Custom Post Type UI
  • Directorist – Business Directory Plugin
  • FileBird Pro
  • GTranslate
  • Slider Revolution
  • The Events Calendar
  • Wicked Folders
  • WP Rocket

Several of these plugins were outdated, and the installed version of Avada Fusion Builder (3.11.14) contained a known vulnerability that could allow attackers to create accounts or inject data.

Diagnosis

Freshy developers conducted a detailed security audit to pinpoint the issue and its potential causes:

  1. User audit – Reviewed all accounts in /wp-admin/users.php to identify unauthorized subscribers and confirm the legitimacy of admin-level users.
  2. Role capabilities check – Created a test subscriber to verify that users with this role couldn’t upload media or perform actions beyond their permissions.
  3. Plugin and theme review – Scanned for outdated and vulnerable plugins and themes.
  4. Form inspection – Identified an unused Gravity Forms upload field that could allow file uploads from front-end users.
  5. Security settings review – Checked XML-RPC and registration settings for potential misuse or exposure.

The open registration setting, outdated builder plugin, and unused upload field collectively created opportunities for unauthorized access.

Resolution steps

To secure the site, the Freshy team implemented the following measures:

  1. Disabled user registration
    In Settings > General, unchecked “Anyone can register.” This prevented new user accounts from being automatically created.
  2. Removed unauthorized users
    Deleted all unknown subscribers and verified the remaining users. Ensured that only approved team members held admin privileges.
  3. Restricted file uploads
    Confirmed that only users with higher roles (Editors, Administrators) had the upload_files capability. Recommended using the User Role Editor plugin for clearer role management and permission control.
  4. Updated all plugins and themes
    Updated the Avada theme and all plugins to their latest versions. Verified that updates did not cause conflicts or errors on the staging environment before pushing them live.
  5. Secured file upload forms
    Limited Gravity Forms upload fields to .pdf and .doc file types and set upload limits. Disabled unused forms containing upload functionality.
  6. Verified XML-RPC security
    Confirmed with the hosting provider (Pressable) that XML-RPC was protected through their Web Application Firewall (WAF), ensuring no additional exposure.
  7. Validated essential functionality
    Confirmed that the “Hospital Doctor Directory New” plugin, which powers the site’s provider listings, was legitimate and functioning as intended.

Final outcome

  • All unauthorized user accounts were removed.
  • Plugins and themes were fully updated and secured.
  • File uploads and registration settings were properly restricted.
  • The site continues to operate securely under managed maintenance and hosting.

Keep your WordPress site secure

Unauthorized account creation often stems from outdated software, open registration settings, or misconfigured permissions. Regular updates, role audits, and form reviews are key to preventing exploits and maintaining site security.

If you’d like to review your WordPress user permissions or ensure your site is properly secured, contact Freshy for a comprehensive WordPress security audit.

Nathan Chapmanhttps://freshysites.com/team/nathan-chapman/
Nathan was raised both a computer nerd and a musician. After receiving a bachelors degree in classical music (and quickly realizing it wasn’t an ideal career choice), he began to work in web development. With over 5 years of experience, he’s seen just about everything WordPress has to offer, and is always looking to learn more. He loves solving puzzles, building web pages, and custom coding anything he can think of. Although Boston born, he spends most of his time south of the border in Monterrey; the tacos are just impossible to give up.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Extending WooCommerce shipping logic to support variation-based local delivery
Next Post
Adding Affirm as a Buy Now, Pay Later option in WooCommerce checkout