WordPress.org

Make WordPress Core

Opened 12 months ago

Last modified 3 months ago

#43856 assigned enhancement

Include submitter IP details in password reset emails?

Reported by: cefiar Owned by: garrett-eclipse
Milestone: Future Release Priority: normal
Severity: minor Version: 4.9.6
Component: Privacy Keywords: has-patch 2nd-opinion ux-feedback needs-refresh
Focuses: Cc:

Description

Could WP password reset emails include the IP of requester when someone asks for a password to be reset?

I've been seeing a lot of bots that seem to spam the password reset link (they find a username from a post, then hit the password reset link using that username), and this would make it easier to pick up and block that IP/range if it was in the reset email already, rather than having to dig through the webserver logs looking for which IP submitted the password reset request.

Note: From looking over wp-login.php this seems like it'd be fairly trivial to implement, but I wasn't sure what the best method for determining the clients IP address to use in the email template (no use creating a security hole or providing useless info), otherwise I might have included a patch.

FWIW: Google and various other sites usually report which IP either asked for the reset, or after a reset happened report that someone from that IP changed/reset the password, so basically I'm asking for similar sorts of detail from WP.

Attachments (1)

43856.diff (3.2 KB) - added by isharis 8 months ago.

Download all attachments as: .zip

Change History (14)

#1 in reply to: ↑ description @iandunn
12 months ago

  • Keywords gdpr added

Replying to cefiar:

wasn't sure what the best method for determining the clients IP address to use in the email template (no use creating a security hole or providing useless info)

WP_Community_events::get_unsafe_client_ip() might be useful there.

Adding the gdpr keyword since this could be considered sharing "personal data" with an external system.

#2 @desrosj
11 months ago

  • Component changed from Login and Registration to Privacy

Moving to the new Privacy component.

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


11 months ago

#4 @desrosj
11 months ago

  • Milestone changed from Awaiting Review to 5.0

#5 @allendav
11 months ago

I like it. If we do this, the patch should also add something like this to wordpress' wp_add_privacy_policy_content call:

“If you request a reset of your password, your IP address will be included in an email to the site administrator."

#6 @desrosj
10 months ago

  • Keywords gdpr removed

Removing the GDPR keyword. This has been replaced by the new Privacy component and privacy focuses in Trac.

@isharis
8 months ago

#7 @isharis
8 months ago

  • Keywords has-patch 2nd-opinion ux-feedback added; needs-patch removed

Hello,

This is my first patch and I'd like to be involved in coming up with a solution to make it through the core. I think that the simple solution of adding IP of the form submitted in the email is one solution but what I think should happen is this:

Like twitter, password reset emails should include the device and location. This is enough information for a user.

For the admin, do admins need to get a password reset email for each user? In the case where a site admin is not getting attacked by bots, this can be annoying.

#8 @pento
6 months ago

  • Milestone changed from 5.0 to 5.1

#9 @desrosj
3 months ago

  • Milestone changed from 5.1 to 5.2

At first glance, 43856.diff needs the since annotation updated for wp_get_unsafe_client_ip() and the IP address: %s string is missing a `/* translators: */ comment.

@isharis, are you able to address that and refresh the patch?

#10 @garrett-eclipse
3 months ago

  • Keywords needs-refresh added

Applying needs-refresh due to @desrosj feedback.

This ticket was mentioned in Slack in #core-privacy by desrosj. View the logs.


3 months ago

#12 @desrosj
3 months ago

  • Owner set to garrett-eclipse
  • Status changed from new to assigned

#13 @garrett-eclipse
3 months ago

  • Milestone changed from 5.2 to Future Release
  • Version set to 4.9.6

Moving this off the milestone until I've had a chance to test and refresh

Note: See TracTickets for help on using tickets.