WordPress.org

Make WordPress Core

Opened 9 months ago

Last modified 19 hours ago

#43856 assigned enhancement

Include submitter IP details in password reset emails?

Reported by: cefiar Owned by: garrett-eclipse
Milestone: 5.2 Priority: normal
Severity: minor Version:
Component: Privacy Keywords: has-patch 2nd-opinion ux-feedback needs-refresh
Focuses: Cc:

Description

Could WP password reset emails include the IP of requester when someone asks for a password to be reset?

I've been seeing a lot of bots that seem to spam the password reset link (they find a username from a post, then hit the password reset link using that username), and this would make it easier to pick up and block that IP/range if it was in the reset email already, rather than having to dig through the webserver logs looking for which IP submitted the password reset request.

Note: From looking over wp-login.php this seems like it'd be fairly trivial to implement, but I wasn't sure what the best method for determining the clients IP address to use in the email template (no use creating a security hole or providing useless info), otherwise I might have included a patch.

FWIW: Google and various other sites usually report which IP either asked for the reset, or after a reset happened report that someone from that IP changed/reset the password, so basically I'm asking for similar sorts of detail from WP.

Attachments (1)

43856.diff (3.2 KB) - added by isharis 5 months ago.

Download all attachments as: .zip

Change History (13)

#1 in reply to: ↑ description @iandunn
9 months ago

  • Keywords gdpr added

Replying to cefiar:

wasn't sure what the best method for determining the clients IP address to use in the email template (no use creating a security hole or providing useless info)

WP_Community_events::get_unsafe_client_ip() might be useful there.

Adding the gdpr keyword since this could be considered sharing "personal data" with an external system.

#2 @desrosj
8 months ago

  • Component changed from Login and Registration to Privacy

Moving to the new Privacy component.

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


8 months ago

#4 @desrosj
8 months ago

  • Milestone changed from Awaiting Review to 5.0

#5 @allendav
8 months ago

I like it. If we do this, the patch should also add something like this to wordpress' wp_add_privacy_policy_content call:

“If you request a reset of your password, your IP address will be included in an email to the site administrator."

#6 @desrosj
7 months ago

  • Keywords gdpr removed

Removing the GDPR keyword. This has been replaced by the new Privacy component and privacy focuses in Trac.

@isharis
5 months ago

#7 @isharis
5 months ago

  • Keywords has-patch 2nd-opinion ux-feedback added; needs-patch removed

Hello,

This is my first patch and I'd like to be involved in coming up with a solution to make it through the core. I think that the simple solution of adding IP of the form submitted in the email is one solution but what I think should happen is this:

Like twitter, password reset emails should include the device and location. This is enough information for a user.

For the admin, do admins need to get a password reset email for each user? In the case where a site admin is not getting attacked by bots, this can be annoying.

#8 @pento
3 months ago

  • Milestone changed from 5.0 to 5.1

#9 @desrosj
2 weeks ago

  • Milestone changed from 5.1 to 5.2

At first glance, 43856.diff needs the since annotation updated for wp_get_unsafe_client_ip() and the IP address: %s string is missing a `/* translators: */ comment.

@isharis, are you able to address that and refresh the patch?

#10 @garrett-eclipse
8 days ago

  • Keywords needs-refresh added

Applying needs-refresh due to @desrosj feedback.

This ticket was mentioned in Slack in #core-privacy by desrosj. View the logs.


19 hours ago

#12 @desrosj
19 hours ago

  • Owner set to garrett-eclipse
  • Status changed from new to assigned
Note: See TracTickets for help on using tickets.