Make WordPress Core

Opened 5 years ago

Last modified 3 months ago

#16470 reopened enhancement

Require confirmation on email change

Reported by: linuxologos Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.0
Component: Users Keywords: needs-patch 2nd-opinion
Focuses: Cc:


When a new user is registered for a site, the e-mail he provides gets easily confirmed. But immediately after that, the new member can visit his profile and is able to change his e-mail to anything. Regardless of whether it is done on purpose or the user enters a wrong e-mail by mistake, the admin cannot contact the member, should he has to for any reason. The e-mail address is of great importance in such cases and I don't think that's a rare need!

I've had the impression that WP was not offering this feature, but then I realised that the code lies in core, though restricted to multisite installations. I find it quite difficult to understand why.

There might seem to be a relation to #13717, but what I propose hereby is just giving the admin of a single-site installation the option to activate e-mail change confirmation.

I think the implementation would only require a few changes in wp-admin/user-edit.php, making send_confirmation_on_profile_email() available outside of wp-admin/includes/ms.php and adding an option in Settings.

Why would we have to hack the core or consider a plugin for something almost already offered in core? That's why I describe the ticket as "enhancement", not "feature request".

Change History (7)

#1 @linuxologos
5 years ago

  • Version set to 3.0

#2 @c3mdigital
2 years ago

  • Resolution set to invalid
  • Status changed from new to closed

This would be a great plugin. Don't think it's needed in core.

#3 @johnbillion
2 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

I know there's been no traction since this ticket was opened, but I think this would actually be a neat feature for single site installations.

Note that this functionality exists as described in the ticket when you're using Multisite. A change of either a user profile email address or the admin email address will trigger a confirmation email with a link which needs to be clicked in order to confirm the change.

I'll patch this up and then we can discuss.

#4 @chriscct7
3 months ago

  • Keywords needs-patch added

#5 @swissspidy
3 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from reopened to closed

Duplicate of #32430.

Since WordPress 4.3 email notifications will be sent out in the event that an email or password is changed.

#6 @johnbillion
3 months ago

  • Keywords 2nd-opinion added
  • Milestone set to Awaiting Review
  • Resolution duplicate deleted
  • Status changed from closed to reopened

This isn't really a dupe of #32430. This ticket is concerned with the confirmation before changing the address, not the notification afterwards.

The confirmation request should also be sent when changing the site admin email, same as multisite.

One complication is sites that cannot send emails, which I presume is why this is limited to multisite currently (less likely to not have outgoing email working).

#7 @knutsp
3 months ago

Should we have a constant like WP_NO_EMAILS or an option, so that when not true, such suggested featured could be implemented?

Note: See TracTickets for help on using tickets.