WordPress.org
Get WordPress

Make WordPress Core

Opened 11 years ago

Last modified 2 weeks ago

#31830 reopened defect (bug)

Hard coded wp-login.php url in string

Reported by: lenasterg's profile lenasterg Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.0
Component: Login and Registration Keywords: has-patch
Focuses: multisite Cc:

Description (last modified by sabernhardt)

Hi.
I noticed that in
wp-includes/ms-functions.php (wpmu_welcome_notification)
the login url is hardcoded (wp-login.php) into the string.
This will create a problem if a multisite developer has chosen to change the login page url (for security reasons).

Thanks in advance
Lena

Change History (6)

#1 @jeremyfelt
11 years ago

  • Component changed from Users to Login and Registration
  • Version changed from trunk to 3.0

Hi lenasterg, thanks for opening a ticket!

It would be nice to change the reliance on wp-login.php as part of the URL. Right now the answer is to use a filter for the entire email through update_welcome_email.

Considering the version of the welcome email stored in the database has existed with BLOG_URLwp-login.php as part of it since pre-3.0, we would need to be careful making any changes. Even if with schema update, two versions of the email would need to be supported in order to maintain backward compatibility. It would be interesting to see a possible solution to this.

Introduced in [12603]

#2 @sabernhardt
5 years ago

  • Description modified (diff)
  • Keywords needs-patch added
  • Milestone set to Future Release

#3 @rajinsharwar
3 years ago

  • Milestone Future Release deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hey @lenasterg, thanks for your ticket! Let's track the issue on #56224, as that will, of course, cover the instance you mentioned. Marking this as a Duplicate of that ticket, so that we can fix the issue in the full core, rather than a single file one by one.

#4 @sabernhardt
3 years ago

  • Milestone set to Future Release
  • Resolution duplicate deleted
  • Status changed from closed to reopened

This change is quite different from other hardcoded wp-login.php instances, so it should be better to make a separate patch and test it on its own.

This ticket was mentioned in PR #11928 on WordPress/wordpress-develop by @shreya0shrivastava.
2 weeks ago #5

  • Keywords has-patch added; needs-patch removed

Fixes the hardcoded 'wp-login.php' URL in 'wpmu_welcome_notification()' in 'wp-includes/ms-functions.php'.
Previously the welcome email template used 'BLOG_URLwp-login.php' as a placeholder which was replaced via 'str_replace', resulting in a hardcoded login URL that ignored any 'login_url' filter. This breaks multisite installations that use a custom login page URL.

Trac ticket: https://core.trac.wordpress.org/ticket/31830

## Use of AI Tools

AI assistance: Yes
Tool(s): Claude
Model(s): Opus 4.6
Used for: Initial code skeleton; final implementation was reviewed and edited by me.

#6 @shreya0shrivastava
2 weeks ago

Patch submitted for this. The fix replaces the hardcoded BLOG_URLwp-login.php placeholder in wpmu_welcome_notification() with LOGINLINK, consistent with how wpmu_welcome_user_notification() already handles the login URL. The replacement now uses wp_login_url() so any login_url filter is respected.

Note: See TracTickets for help on using tickets.