Opened 5 years ago
Last modified 4 years ago
#48563 new enhancement
Changing site admin email address is backwards
Reported by: | maguijo | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Users | Keywords: | 2nd-opinion |
Focuses: | administration | Cc: |
Description
The current process for changing the admin email address in the General settings tab seems pretty sketchy to me.
Currently:
- Change the email address.
- Confirmation email is sent to the NEW admin.
- New admin confirms
- Email sent to OLD admin to inform him or her it was done.
It should be:
- Change the email address.
- Confirmation email sent to OLD admin to be sure it’s ok to change this very important information.
- Old admin confirms it’s ok (or freaks out and starts changing passwords because he or she did not initiate this process).
- Email is sent to NEW admin to accept the invite and to verify the address.
- NEW admin confirms address and accepts new responsibility.
- Email goes to old admin to let them know the process has been completed.
Change History (7)
#3
@
5 years ago
- Keywords 2nd-opinion added
Yeah the functionality is intended to allow a user to change their email address when they may no longer have access to the existing address on record. This is a fairly standard process for changing your email address on a web service - verify intent with the new address and then notify the old address.
This could be improved though - for example by providing a quick ability for the address to be reverted and for other logged in sessions to be revoked (both possible but not quickly).
#5
@
4 years ago
@lars2923
As it stands, I as a hacker can change the address to my address and it is my address that received the email requesting acknowledgement, not yours.
You know, you can change the Network Admin Email on the /wp-admin/options.php page w/o any confirmations (admin_email and new_admin_email input fields), so it's definitely not a security measure.
added a notification sent to the old admin email address as well, to reduce the chances of a site compromise going unnoticed.
This notification can be suppressed in advance by blocking the sending of all messages using plugins or special code (if we are talking about a compromised resource).
Old admin email may not work, and this may be the reason for changing it. Administrators are allowed to change the admin email. Confirmation is to ensure it's a working email address and that the new recipient acknowledges the responsibility.