Opened 8 years ago
Last modified 8 years ago
#40081 new defect (bug)
Remove wp-admin links from all Core emails
Reported by: | iandunn | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Keywords: | ||
Focuses: | administration | Cc: |
Description
SpamAssassin has an undocumented rule called URI_WPADMIN
, which is triggered when it sees a wp-admin URL in a message. If the rule is triggered, the message's spam score is bumped by 2.6
points (by default), which gets the message 50%
of the way to being flagged as spam. This can be reproduced easily with Postmark's spam-checker API.
SpamAssassin also has a PHP_ORIG_SCRIPT
rule that is assigned to all messages that are sent with the default PHP mail()
agent. It has a score of 1.5
, which brings the vast majority of Core emails sent by WordPress installations up to a score of 4.1
, which is 80%
of the way to being flagged. That's not counting any other rules that may be triggered based on message content, server configuration, etc.
From a UX perspective, it's very helpful to include links in messages that take the user directly to any actions that we can reasonably assume they'll want to perform on a message. However, from a security perspective, I think the best practice is to not include those links, because doing so trains users to expect and trust them, which makes them vulnerable to phishing attacks.
So, I think we should consider removing all links to wp-admin, and replace them with a message asking users to log in to their site instead. We can give them navigation breadcrumbs like, To disable these notifications, log in to WordPress at example.org and navigate to: My Sites > Network Admin > Settings.
Related #39709
Change History (3)
#2
in reply to:
↑ 1
@
8 years ago
Replying to SergeyBiryukov:
So, I think we should consider removing all links to wp-admin, and replace them with a message asking users to log in to their site instead.
I don't think that would work for comment moderation links. They could probably be replaced with non-admin links.
The full regexp for URI_WPADMIN
is ,/wp-admin/\w+/,i
so it shouldn't match /wp-admin/comment.php?action=approve…
#3
@
8 years ago
The full regexp for URI_WPADMIN is ,/wp-admin/\w+/,i so it shouldn't match /wp-admin/comment.php?action=approve…
Ah, that's a great catch. It doesn't look like that regex will match example.org/wp-admin/
either, only URLs with a subdirectory, like example.org/wp-admin/network/settings.php
. That's odd that they'd only try to catch network-admin emails, but :shrug:
So, maybe the scope of this ticket should narrow to only remove network-admin URLs? I still think it's a bad practice to include any admin URLs, though, because it trains users to follow the insecure practice of clicking links in emails. What does everyone else think?
I don't think that would work for comment moderation links. They could probably be replaced with non-admin links.