WordPress.org

Make WordPress Core

Changeset 41164


Ignore:
Timestamp:
07/27/17 02:23:26 (6 months ago)
Author:
johnbillion
Message:

Options, Meta APIs: Send a notification to the old admin email address when the site admin email or network admin email address is changed.

This reduces the chances of a site compromise going unnoticed, in the same way that the same notifications for user account email address changes reduces the chances of a user account compromise going unnoticed.

Props MatheusGimenez, johnbillion

Fixes #39117

Location:
trunk/src
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/admin-filters.php

    r41163 r41164  
    5555add_action( 'update_option_siteurl',       'update_home_siteurl', 10, 2 ); 
    5656add_action( 'update_option_page_on_front', 'update_home_siteurl', 10, 2 ); 
     57add_action( 'update_option_admin_email',   'wp_site_admin_email_change_notification', 10, 3 ); 
    5758 
    5859add_filter( 'heartbeat_received', 'wp_check_locked_posts',  10,  3 ); 
  • trunk/src/wp-admin/includes/ms-admin-filters.php

    r41163 r41164  
    2323add_action( 'wpmueditblogaction', 'upload_space_setting' ); 
    2424 
     25// Network hooks 
     26add_action( 'update_site_option_admin_email', 'wp_network_admin_email_change_notification', 10, 4 ); 
     27 
    2528// Taxonomy Hooks 
    2629add_filter( 'get_term', 'sync_category_tag_slugs', 10, 2 ); 
  • trunk/src/wp-includes/functions.php

    r41113 r41164  
    56505650    return $last_changed; 
    56515651} 
     5652 
     5653/** 
     5654 * Send an email to the old site admin email address when the site admin email address changes. 
     5655 * 
     5656 * @since 4.9.0 
     5657 * 
     5658 * @param string $old_email   The old site admin email address. 
     5659 * @param string $new_email   The new site admin email address. 
     5660 * @param string $option_name The relevant database option name. 
     5661 */ 
     5662function wp_site_admin_email_change_notification( $old_email, $new_email, $option_name ) { 
     5663    /** 
     5664     * Filters whether to send the site admin email change notification email. 
     5665     * 
     5666     * @since 4.9.0 
     5667     * 
     5668     * @param bool   $send      Whether to send the email notification. 
     5669     * @param string $old_email The old site admin email address. 
     5670     * @param string $new_email The new site admin email address. 
     5671     */ 
     5672    $send = apply_filters( 'send_site_admin_email_change_email', true, $old_email, $new_email ); 
     5673 
     5674    if ( ! $send ) { 
     5675        return; 
     5676    } 
     5677 
     5678    /* translators: Do not translate OLD_EMAIL, NEW_EMAIL, SITENAME, SITEURL: those are placeholders. */ 
     5679    $email_change_text = __( 'Hi, 
     5680 
     5681This notice confirms that the admin email address was changed on ###SITENAME###. 
     5682 
     5683The new admin email address is ###NEW_EMAIL###. 
     5684 
     5685This email has been sent to ###OLD_EMAIL### 
     5686 
     5687Regards, 
     5688All at ###SITENAME### 
     5689###SITEURL###' ); 
     5690 
     5691    $email_change_email = array( 
     5692        'to'      => $old_email, 
     5693        /* translators: Site admin email change notification email subject. %s: Site title */ 
     5694        'subject' => __( '[%s] Notice of Admin Email Change' ), 
     5695        'message' => $email_change_text, 
     5696        'headers' => '', 
     5697    ); 
     5698    // get site name 
     5699    $site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 
     5700 
     5701    /** 
     5702     * Filters the contents of the email notification sent when the site admin email address is changed. 
     5703     * 
     5704     * @since 4.9.0 
     5705     * 
     5706     * @param array $email_change_email { 
     5707     *            Used to build wp_mail(). 
     5708     * 
     5709     *            @type string $to      The intended recipient. 
     5710     *            @type string $subject The subject of the email. 
     5711     *            @type string $message The content of the email. 
     5712     *                The following strings have a special meaning and will get replaced dynamically: 
     5713     *                - ###OLD_EMAIL### The old site admin email address. 
     5714     *                - ###NEW_EMAIL### The new site admin email address. 
     5715     *                - ###SITENAME###  The name of the site. 
     5716     *                - ###SITEURL###   The URL to the site. 
     5717     *            @type string $headers Headers. 
     5718     *        } 
     5719     * @param string $old_email The old site admin email address. 
     5720     * @param string $new_email The new site admin email address. 
     5721     */ 
     5722    $email_change_email = apply_filters( 'site_admin_email_change_email', $email_change_email, $old_email, $new_email ); 
     5723 
     5724    $email_change_email['message'] = str_replace( '###OLD_EMAIL###', $old_email, $email_change_email['message'] ); 
     5725    $email_change_email['message'] = str_replace( '###NEW_EMAIL###', $new_email, $email_change_email['message'] ); 
     5726    $email_change_email['message'] = str_replace( '###SITENAME###',  $site_name, $email_change_email['message'] ); 
     5727    $email_change_email['message'] = str_replace( '###SITEURL###',   home_url(), $email_change_email['message'] ); 
     5728 
     5729    wp_mail( $email_change_email['to'], sprintf( 
     5730        $email_change_email['subject'], 
     5731        $blog_name 
     5732    ), $email_change_email['message'], $email_change_email['headers'] ); 
     5733} 
  • trunk/src/wp-includes/ms-functions.php

    r41058 r41164  
    25582558    return apply_filters( 'subdirectory_reserved_names', $names ); 
    25592559} 
     2560 
     2561/** 
     2562 * Send an email to the old network admin email address when the network admin email address changes. 
     2563 * 
     2564 * @since 4.9.0 
     2565 * 
     2566 * @param string $option_name The relevant database option name. 
     2567 * @param string $new_email   The new network admin email address. 
     2568 * @param string $old_email   The old network admin email address. 
     2569 * @param int    $network_id  ID of the network. 
     2570 */ 
     2571function wp_network_admin_email_change_notification( $option_name, $new_email, $old_email, $network_id ) { 
     2572    /** 
     2573     * Filters whether to send the network admin email change notification email. 
     2574     * 
     2575     * @since 4.9.0 
     2576     * 
     2577     * @param bool   $send       Whether to send the email notification. 
     2578     * @param string $old_email  The old network admin email address. 
     2579     * @param string $new_email  The new network admin email address. 
     2580     * @param int    $network_id ID of the network. 
     2581     */ 
     2582    $send = apply_filters( 'send_network_admin_email_change_email', true, $old_email, $new_email, $network_id ); 
     2583 
     2584    if ( ! $send ) { 
     2585        return; 
     2586    } 
     2587 
     2588    /* translators: Do not translate OLD_EMAIL, NEW_EMAIL, SITENAME, SITEURL: those are placeholders. */ 
     2589    $email_change_text = __( 'Hi, 
     2590 
     2591This notice confirms that the network admin email address was changed on ###SITENAME###. 
     2592 
     2593The new network admin email address is ###NEW_EMAIL###. 
     2594 
     2595This email has been sent to ###OLD_EMAIL### 
     2596 
     2597Regards, 
     2598All at ###SITENAME### 
     2599###SITEURL###' ); 
     2600 
     2601    $email_change_email = array( 
     2602        'to'      => $old_email, 
     2603        /* translators: Network admin email change notification email subject. %s: Network title */ 
     2604        'subject' => __( '[%s] Notice of Network Admin Email Change' ), 
     2605        'message' => $email_change_text, 
     2606        'headers' => '', 
     2607    ); 
     2608    // get network name 
     2609    $network_name = wp_specialchars_decode( get_site_option( 'site_name' ), ENT_QUOTES ); 
     2610 
     2611    /** 
     2612     * Filters the contents of the email notification sent when the network admin email address is changed. 
     2613     * 
     2614     * @since 4.9.0 
     2615     * 
     2616     * @param array $email_change_email { 
     2617     *            Used to build wp_mail(). 
     2618     * 
     2619     *            @type string $to      The intended recipient. 
     2620     *            @type string $subject The subject of the email. 
     2621     *            @type string $message The content of the email. 
     2622     *                The following strings have a special meaning and will get replaced dynamically: 
     2623     *                - ###OLD_EMAIL### The old network admin email address. 
     2624     *                - ###NEW_EMAIL### The new network admin email address. 
     2625     *                - ###SITENAME###  The name of the network. 
     2626     *                - ###SITEURL###   The URL to the site. 
     2627     *            @type string $headers Headers. 
     2628     *        } 
     2629     * @param string $old_email  The old network admin email address. 
     2630     * @param string $new_email  The new network admin email address. 
     2631     * @param int    $network_id ID of the network. 
     2632     */ 
     2633    $email_change_email = apply_filters( 'network_admin_email_change_email', $email_change_email, $old_email, $new_email, $network_id ); 
     2634 
     2635    $email_change_email['message'] = str_replace( '###OLD_EMAIL###', $old_email,    $email_change_email['message'] ); 
     2636    $email_change_email['message'] = str_replace( '###NEW_EMAIL###', $new_email,    $email_change_email['message'] ); 
     2637    $email_change_email['message'] = str_replace( '###SITENAME###',  $network_name, $email_change_email['message'] ); 
     2638    $email_change_email['message'] = str_replace( '###SITEURL###',   home_url(),    $email_change_email['message'] ); 
     2639 
     2640    wp_mail( $email_change_email['to'], sprintf( 
     2641        $email_change_email['subject'], 
     2642        $network_name 
     2643    ), $email_change_email['message'], $email_change_email['headers'] ); 
     2644} 
Note: See TracChangeset for help on using the changeset viewer.