WordPress.org

Make WordPress Core

Opened 16 months ago

Last modified 16 months ago

#40081 new defect (bug)

Remove wp-admin links from all Core emails

Reported by: iandunn Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Mail Keywords:
Focuses: administration Cc:

Description

SpamAssassin has an undocumented rule called URI_WPADMIN, which is triggered when it sees a wp-admin URL in a message. If the rule is triggered, the message's spam score is bumped by 2.6 points (by default), which gets the message 50% of the way to being flagged as spam. This can be reproduced easily with Postmark's spam-checker API.

SpamAssassin also has a PHP_ORIG_SCRIPT rule that is assigned to all messages that are sent with the default PHP mail() agent. It has a score of 1.5, which brings the vast majority of Core emails sent by WordPress installations up to a score of 4.1, which is 80% of the way to being flagged. That's not counting any other rules that may be triggered based on message content, server configuration, etc.

From a UX perspective, it's very helpful to include links in messages that take the user directly to any actions that we can reasonably assume they'll want to perform on a message. However, from a security perspective, I think the best practice is to not include those links, because doing so trains users to expect and trust them, which makes them vulnerable to phishing attacks.

So, I think we should consider removing all links to wp-admin, and replace them with a message asking users to log in to their site instead. We can give them navigation breadcrumbs like, To disable these notifications, log in to WordPress at example.org and navigate to: My Sites > Network Admin > Settings.

Related #39709

Change History (3)

#1 follow-up: @SergeyBiryukov
16 months ago

So, I think we should consider removing all links to wp-admin, and replace them with a message asking users to log in to their site instead.

I don't think that would work for comment moderation links. They could probably be replaced with non-admin links.

#2 in reply to: ↑ 1 @skithund
16 months ago

Replying to SergeyBiryukov:

So, I think we should consider removing all links to wp-admin, and replace them with a message asking users to log in to their site instead.

I don't think that would work for comment moderation links. They could probably be replaced with non-admin links.

The full regexp for URI_WPADMIN is ,/wp-admin/\w+/,i so it shouldn't match /wp-admin/comment.php?action=approve…

#3 @iandunn
16 months ago

The full regexp for URI_WPADMIN is ,/wp-admin/\w+/,i so it shouldn't match /wp-admin/comment.php?action=approve…

Ah, that's a great catch. It doesn't look like that regex will match example.org/wp-admin/ either, only URLs with a subdirectory, like example.org/wp-admin/network/settings.php. That's odd that they'd only try to catch network-admin emails, but :shrug:

So, maybe the scope of this ticket should narrow to only remove network-admin URLs? I still think it's a bad practice to include any admin URLs, though, because it trains users to follow the insecure practice of clicking links in emails. What does everyone else think?

Note: See TracTickets for help on using tickets.