WordPress.org

Make WordPress Core

Opened 8 weeks ago

Last modified 3 weeks ago

#43856 new enhancement

Include submitter IP details in password reset emails?

Reported by: cefiar Owned by:
Milestone: 5.0 Priority: normal
Severity: minor Version:
Component: Privacy Keywords: gdpr needs-patch
Focuses: Cc:

Description

Could WP password reset emails include the IP of requester when someone asks for a password to be reset?

I've been seeing a lot of bots that seem to spam the password reset link (they find a username from a post, then hit the password reset link using that username), and this would make it easier to pick up and block that IP/range if it was in the reset email already, rather than having to dig through the webserver logs looking for which IP submitted the password reset request.

Note: From looking over wp-login.php this seems like it'd be fairly trivial to implement, but I wasn't sure what the best method for determining the clients IP address to use in the email template (no use creating a security hole or providing useless info), otherwise I might have included a patch.

FWIW: Google and various other sites usually report which IP either asked for the reset, or after a reset happened report that someone from that IP changed/reset the password, so basically I'm asking for similar sorts of detail from WP.

Change History (5)

#1 in reply to: ↑ description @iandunn
8 weeks ago

  • Keywords gdpr added

Replying to cefiar:

wasn't sure what the best method for determining the clients IP address to use in the email template (no use creating a security hole or providing useless info)

WP_Community_events::get_unsafe_client_ip() might be useful there.

Adding the gdpr keyword since this could be considered sharing "personal data" with an external system.

#2 @desrosj
5 weeks ago

  • Component changed from Login and Registration to Privacy

Moving to the new Privacy component.

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


3 weeks ago

#4 @desrosj
3 weeks ago

  • Milestone changed from Awaiting Review to 5.0

#5 @allendav
3 weeks ago

I like it. If we do this, the patch should also add something like this to wordpress' wp_add_privacy_policy_content call:

“If you request a reset of your password, your IP address will be included in an email to the site administrator."

Note: See TracTickets for help on using tickets.