Password Reset email returns invalid account address

[raamdev]

The retrieve_password() function in wp-login.php calls network_site_url() (see source:/trunk/wp-login.php#L211), which on a non-multisite network calls site_url(), which then returns the 'WordPress Address'.

However, that doesn't make sense when the 'WordPress Address' and 'Site Address' are different.

People receiving Password Reset emails shouldn't be seeing the 'WordPress Address', they should be seing 'Site Address'. When these fields are different, the 'WordPress Address' URL doesn't even point anywhere useful to the user.

FYI, I do have FORCE_SSL_ADMIN enabled. My 'WordPress Address' is set to ​https://raamdev.com/wordpress while my 'Site Address' is set to ​http://raamdev.com. Password reset emails contain the former address.

[dd32]

Replacing the usage of network_site_url() with trailingslashit(network_home_url()) sounds correct here to me

Currently it returns http://dd32.id.au/wordpress where as I'd expect http://dd32.id.au/

We've always used the siteurl in this field however, for the last 7 years at least :)

[thee17]

Here is the patch with the change dd32 suggested.

[raamdev]

Replying to dd32:

Replacing the usage of network_site_url() with trailingslashit(network_home_url()) sounds correct here to me

Currently it returns http://dd32.id.au/wordpress where as I'd expect http://dd32.id.au/

We've always used the siteurl in this field however, for the last 7 years at least :)

Replacing network_site_url() with trailingslashit(network_home_url()) wouldn't correct the problem. That would simply return http://dd32.id.au/wordpress/ not http://dd32.id.au/ as you said you'd expect.

What doesn't make sense to me is why you'd ever want to show the WordPress Address to a user resetting their password. If WordPress Address and Site Address are different, the WordPress Address points nowhere useful to the user (only <WordPress Address>/wp-admin/ is useful, but a user probably shouldn't be pointed there either).

It seems like network_home_url() (if multisite) or home_url() (if non-multisite) would be the logical thing to use. Am I missing something?

[SergeyBiryukov]

Replying to raamdev:

It seems like network_home_url() (if multisite) or home_url() (if non-multisite) would be the logical thing to use. Am I missing something?

That's what dd32 suggested. network_home_url() returns home_url() if not Multisite.

[raamdev]

Replying to SergeyBiryukov:

That's what dd32 suggested. network_home_url() returns home_url() if not Multisite.

My mistake. I can't believe I didn't see that. :) Thanks!

[nacin]

In [19705]:

Use home URL, not siteurl, in the password reset email. fixes #19767.