WordPress.org

Make WordPress Core

Opened 4 months ago

Last modified 41 hours ago

#46349 assigned enhancement

Is your/this admin email still correct

Reported by: andraganescu Owned by: andraganescu
Milestone: 5.3 Priority: normal
Severity: normal Version: 5.1
Component: Site Health Keywords: 2nd-opinion servehappy has-patch dev-feedback needs-testing
Focuses: ui, administration Cc:

Description

Use a reminder type of notification that checks with the users that some of their details in settings are still up to date.

Rationale:

In the recent discussions on #core-php about the WSOD recovery and the recovery email that should be sent, to announce that the site experienced a fatal error and that they might be locked out of their website's admin, some participants persistently raised the issue of the admin email being either one of:

  • outdated
  • set to a catch all email address which is never checked
  • set automatically by the host in the process of one-click-installs

Since the admin email is by all means the correct value to use when the system decides to send that email we need to make sure we do our best to keep it accurate and not a useless setting nobody cares for.

For now the whole discussion should be about the admin email setting, I was unable to find another candidate so I am unsure if this would require an extensibility API of some kind. However perhaps some plugins like the ones for 2FA could use it.

Solution

We could have a small notification that is triggered by either one of:

  • a certain amount of time since the last login
  • a certain amount of time since the last notification was displayed

This notification explains that some settings are important and need to be revised in order to ensure the security and well functioning of their site. Then it asks about the setting and if it is correct.

Similar approaches

Many current online apps use this style of notification to prompt the user into checking their email, phone number, secondary addresses, even credit card details. This helps prevent many unwanted issues. Of course now I was unable to find the exact screens I am talking about, but I am sure others have seen them :D

How it works

This can be either one or all of:

  • a top bar that leads to a screen where these options can be updated, least invasive
  • a section in the dashboard that does not disappear until it is confirmed or updated, medium invasive
  • a screen right after login that cannot be bypassed until it is confirmed or updated, hardcore! This screen only shows up if the logging in user has the required cap to edit the settings.

We could store the confirmation flag and date using the option API and use WP Cron to check these options once in a while. For the most invasive implementation option then the auth flow needs to be updated to check for the options.

Attachments (4)

5a85cd561df68_Screenshot1.PNG.412c73d5f803d3ed7ead3bb951810ae9.PNG (15.3 KB) - added by boemedia 4 months ago.
Example of email validation screen
Screenshot 2019-03-11 at 10.42.13.jpg (33.5 KB) - added by boemedia 4 months ago.
Example of a software update screen: skip/remind message
Screenshot 2019-03-27 at 21.58.23.png (111.6 KB) - added by andraganescu 3 months ago.
Intermission Form Example
admin_email_reminder.diff (8.2 KB) - added by andraganescu 4 weeks ago.
Patch that implements @boemedia 's flow, has missing actions on links.

Download all attachments as: .zip

Change History (36)

This ticket was mentioned in Slack in #design by andraganescu. View the logs.


4 months ago

This ticket was mentioned in Slack in #design by karmatosed. View the logs.


4 months ago

#3 @andraganescu
4 months ago

  • Summary changed from Is your this admin email still correct to Is your/this admin email still correct

#4 @andraganescu
4 months ago

I am currently implementing option 2 "a section in the dashboard that does not disappear until it is confirmed or updated, medium invasive", using the Dashboard Widgets API and provide a simple form in a widget where the user can confirm the email or change it. I will save as a site option the timeout so we don't check with the user again for X amount of time.

#5 @noisysocks
4 months ago

This sounds like a valuable addition to me :)

A dashboard widget aligns nicely with the UX of the Outdated PHP Version Warning that shipped in WordPress 5.1. Pinging @boemedia for her thoughts on design as she mentioned having some in Slack.

#6 @boemedia
4 months ago

Hi @andraganescu ,

First thing that comes to mind is: who do you want to show this notification to? I guess it makes sense to show it to all users with admin rights, not only to the person login in with the email that matches the admin email and not to users with other roles.

How I'd see it as least intrusive: After login as an admin I'd like to to see a subtle reminder:

The admin email for this website is xxx@…. Is this still correct?
Yes > don't show me this notification for the next xxx days/ don't show me this notification again (with warning?) and take me to wp-admin
No > change email (via link to settings). (and trigger something after changing this to send a notification after xx time again)

As for the dashboard widget, I'm not sure about that. The hierarchy in information on the dashboard is not very clear. I wonder how you're going to make this stand out on the page. Do you want to do a full width, like we did with the Gutenberg dashboard widget? Even then, I've found that people sort of ignored the info since it blends in with the rest. Also, as soon as people enter WP-Admin, they tend to look at the black menu on the left and proceed to whatever task they want to perform.

Is it an option to build it in in the login process, before showing WP-admin at all? As an extra screen after hitting 'login'? I see this is your third idea, maybe we could include a 'not now, remind me later' option to that screen (which I hit a lot when I'm asked for software updates...)

Regarding this, I can also imagine having a fallback email address registered, but maybe that should be a different ticket :)

I think we have to think about how dearly we want people to check on their admin email. How important is it? And how often do we think is necessary for them to confirm to keep it up to date?

@boemedia
4 months ago

Example of email validation screen

@boemedia
4 months ago

Example of a software update screen: skip/remind message

#7 @SergeyBiryukov
4 months ago

  • Component changed from Administration to Users
  • Focuses administration added

#8 @TimothyBlynJacobs
4 months ago

  • Keywords servehappy added

#9 @andraganescu
3 months ago

  • Owner set to andraganescu
  • Status changed from new to assigned

First, thank you @boemedia and sorry for the late reply. Excellent work on both planning the UX and the examples!

I am on the same boat with the following things:

  • indeed, the dashboard widgets tend to blend into each other, so it may be that we're not going to serve the purpose of this if the UI is easily ignored
  • even though I called it "hardcore" after reading your comment, the screen after login looks like a better idea to me too.
  • a "remind me later" option would also make it less annoying and easily skippable

I like the UX style of the first example, of course integrated in the WP UI, perhaps using the admin login surrounding elements?

Re. having a fallback email, you are correct, it should be a different ticket.

We need this feature to make sure that any communication we send to an admin address about website health, maybe updates, issues and so on, do reach an admin.

As for rules that govern this extra login screen:

  • the notification should be shown to _one_ admin only in one interval
  • only admins see it, people who have the right to change the Admin Email setting
  • timeline: default to once every six months, remind me later sets a smaller two week interval

I'll continue with switching from widget to extra login screen, we'll see how that "feels" once I have a patch.

@andraganescu
3 months ago

Intermission Form Example

#10 @andraganescu
3 months ago

In order to display the notification right after login I found two ways:

  1. either change the code and before redirecting stick another form into the page like in the Intermission Form Example example above

I don't like this approach mainly because it adds a loat of bloat code in wp-login.php which is already complex: another function to output another form and, plus, we need to pause the redirect flow with more globals.

On the other hand this is easier and faster to implement, I think.

  1. hook into login_redirect and update the redirect process like this:
  • login
  • login_redirect hook called
    • is the admin email recently verified ? (define an ADMIN_EMAIL_REFRESH_TIME in default_constants.php)
      • YES
        • return the normal redirect decided by the system
      • NO
        • return a redirect link to a special place in admin where there is a form to update
  • continue to redirect
  • if special admin place:
    • user updates the email?
      • YES
        • save the new admin email
        • set an admin_email_last_check option via the options API to current time
        • redirect to the original redirect
      • NO
        • set an admin_email_last_check option via the options API to current time - 1/2*ADMIN_EMAIL_REFRESH_TIME
        • redirect to the original redirect

I am working on option (2) but the UX is weird: the best place to update it is on the settings page.

We could direct the users straight to that long form and via some URI param modify the Email Address field to pop out in size and color, and also add a question to it.

Also, we could add a modal overlay with a Form like this in it, which right now is my favourite idea.

LMK if you have other thoughts :)

Last edited 3 months ago by andraganescu (previous) (diff)

#11 @noisysocks
3 months ago

Looking at wp-login.php:498, I see that we're already rendering different form fields depending on the value of the ?action query param. Could we add a ?action=verify query param to support email validation?

#12 @andraganescu
3 months ago

@noisysocks of course we can, it's just that there will me more cruft in there:

  • a new form (e.g. retrievepassword)
  • a new function to update the admin_email option
  • some new "if" statements in the default case of the switch $action block, because we can show this form only after the user is logged in and we know they have their capabilities set up

It's not hard as I said, I just feel that it will make complexity more complex haha and I don't like it. Hooking into login_redirect seems more elegant, albeit more work.

However @boemedia will soon have some time to give us an UX to follow, so that will count a lot in how to implement!

Last edited 3 months ago by andraganescu (previous) (diff)

#13 @andraganescu
3 months ago

  • Keywords has-patch dev-feedback needs-testing needs-design-feedback added

I have a PR here https://github.com/draganescu/wordpress-develop/pull/1 which implements the intermission form UX shown above.

@boemedia this still needs a good design approach, as I've only implemented a functional idea.

I would guess it is a safe approach b/c there is that filter there which is exactly for this kind of job. On the other hand the actual UI might not be the best since (as you can see in the PR's gif) there is a lot of information that needs to be communicated:

  • you should check to see if your admin email is correct
  • you should update your admin email
  • it is important b/c we use it to let you in if your site is broken
  • if you change it you will need to confirm the change via email

The way I did this is pretty basic, but I can implement in that page any number of ideas.

LMK your thoughts!

Last edited 3 months ago by andraganescu (previous) (diff)

This ticket was mentioned in Slack in #core-php by andraganescu. View the logs.


3 months ago

This ticket was mentioned in Slack in #design by boemedia. View the logs.


3 months ago

#16 @boemedia
2 months ago

I never managed to look at the patch (sorry, couldn't get it implemented. But I have been working on an idea for a user flow to change the general admin email.

I abandoned the idea of making it possible to change the emailadress in a separate screen. Instead, I thought it would be better for users to take them to the settings screen for making changes, so they'd recognise it for future reference.
Also, my thinking was, to cause less confusion for users with admin rights who are not registered as the general admin email. We need some additional information pages (on .org?) to help clarify:

a) the purpose of a working general admin email
b) that the admin email given can be different from their own login email

After a user with admin rights hits login, there are 3 possible scenario's:
1) the registered email is verified as correct: the user is taken to the dashboard with a notification 'thank you for verifying'
2) the registered email needs to be changed: the user is taken to the settings page
3) the user hits 'remind me later': the user is taken to the dashboard with 'we'll remind you again in x weeks'

Design wise, I ran into a few things:

  • there's not really a design pattern for these info screens ahead of WP-admin. I didn't think the login screen would be a good basis to work from, so I went with a screen from the install sequence instead.
  • I wasn't sure about the colours for the notification bar to use in this case
  • the dashboard view in Figma is broken, maybe because of importing from Sketch. So please ignore some text and titles being in the wrong place.

I'd love some feedback on the approach/user flow, as well as some guidance on design standards for WordPress, as I wasn't sure if I used the right components at some points.

Technically, I'm not aware of any restrictions regarding my flow, so if a different approach is necessary because of those, please let me know. I'm happy to iterate or work on a different version.

Please take a look at the prototype here: https://www.figma.com/proto/WB24a8gm07lJKqLmVr01ZttB/Change-admin-email-v1?node-id=1%3A2&scaling=min-zoom

All 3 scenario's work. You can move back to the login screen by hitting 'R'.

Looking forward to reading your feedback in this ticket, or if you don't have a .org account, please comment in the Slack design channel: https://wordpress.slack.com/messages/design/

This ticket was mentioned in Slack in #design by boemedia. View the logs.


2 months ago

This ticket was mentioned in Slack in #design by karmatosed. View the logs.


2 months ago

#19 @lessbloat
2 months ago

Hi @boemedia! I recorded a few thoughts for you here: https://cl.ly/8f141b50b65c This is all fairly subjective feedback, so feel free to take/leave any/all of it.

#20 @lessbloat
2 months ago

Okay, take two, since I forgot to hit the audio option before I recorded my first video. :-P

https://cl.ly/31856dbd2324

#21 @karmatosed
5 weeks ago

  • Keywords needs-design-feedback removed

#22 @karmatosed
5 weeks ago

  • Keywords ux-feedback removed

#23 @karmatosed
5 weeks ago

  • Keywords needs-design removed

As this has a design, going to remove the needs design keyword for now. Thanks for moving this on with a design @boemedia.

#24 @andraganescu
5 weeks ago

Added a new PR https://github.com/draganescu/wordpress-develop/pull/52 which implements the design from @boemedia .
It is still WIP because:

  • I am unsure what happens when I click on "Why is this important" and "Learn more" in the confirmation screen.
  • I am still working on highlighting the Admin Email row on the settings screen
  • I still have to add a message in the dashboard screen if the user confirms or clicks "Remind me later"

#25 @noisysocks
4 weeks ago

  • Milestone changed from Awaiting Review to 5.3
  • Type changed from feature request to enhancement

#26 @noisysocks
4 weeks ago

  • Focuses ui added

@andraganescu
4 weeks ago

Patch that implements @boemedia 's flow, has missing actions on links.

#27 @boemedia
4 weeks ago

Thanks for creating the patch! For the links to "Why is this important" and "Learn more" in the confirmation screen, I'd like to ping @joostdevalk here and ask for marketing support on this. Ideally, I think these could be two pages written on .org (or one page with two sections) about the general admin email. Which is super useful not only in this case, but also when people set up a new WP Install.

#28 @boemedia
4 weeks ago

TL;DR

#29 @joostdevalk
4 weeks ago

@boemedia I think those pages should be on helphub, @clorith and team can help you with that!

#30 @Clorith
4 weeks ago

Yup, quite happy to help get any user-facing documentation put in the right place, feel free to reach out and I'll facilitate to get any copywriters added where they're needed to make this happen.

#31 @azaozz
3 weeks ago

Looking at admin_email_reminder.diff, seems to work pretty well here. Got couple of suggestions :)

Generally PHP constants are not great for things that some users may want to change. If we want ADMIN_EMAIL_MAX_AGE to be changeable, how about we set it with a filter? Perhaps something like:

$admin_email_max_age = apply_filters( 'admin_email_max_age', 180 * DAY_IN_SECONDS );

It's used in just one place so this would work well.

Thinking it's not a good idea to do delete_option( 'admin_email_lifespan' ); at the top of wp-login.php. If the option has been deleted, it will go to the DB to try and get it again, and that file may be a subject of brute force login attempts.

Maybe we can keep the option and set it to some value (this is actually the "recommended way" to use options, make sure they exist at all times and don't change the value (write to the DB) for non-authenticated users). That will also remove the need to delete it.

Also wondering if plugins should be able to remove the whole check. This is a good security feature. If we add a filter for ADMIN_EMAIL_MAX_AGE, perhaps this should be hard-coded, not added with a filter on 'login_redirect'.

The rest is minor/nitpicks :) Generally HTML tags should be avoided in translatable strings. Think there was something in the coding standards against nested single if (but may be mixing that with the JS linting/coding standards).

Last edited 3 weeks ago by azaozz (previous) (diff)

#32 @spacedmonkey
41 hours ago

  • Component changed from Users to Site Health
Note: See TracTickets for help on using tickets.