I’ve created a “Second Administrator” role to avoid the worst case scenario happening on my WordPress site when I have casual web development contractors. However if I give them the ‘promote_users’ capability, can they promote a random user to an Admin and then circumvent the limitations in place?
2 Answers
Yes, if you assign ‘promote_users’ to another user, that user could promote non-site admins to site admin.
https://codex.wordpress.org/Roles_and_Capabilities#promote_users